dns exploit
Brian Keefer
chort at smtps.net
Sat Jul 26 06:53:46 UTC 2008
On Jul 25, 2008, at 11:43 PM, Chris Buxton wrote:
>
> On Jul 25, 2008, at 11:30 PM, Brian Keefer wrote:
>
>> I just looked at it a bit more closely...
>>
>> I'm using OpenBSD for my firewall and my nameservers. The
>> firewall is 3.5, the nameservers are 4.3. The firewall is just
>> doing standard PF nat for outbound requests. Whether I used the
>> doxpara tool, or dns-oarc the source ports from my recursive
>> resolver were the same (pre-patch), but on the external interface
>> of my firewall, the packets to doxpara did not get randomized
>> ports, while those to dns-oarc did. Post-patch the resolver
>> itself has random source ports, so it's moot.
I verified that they're random on the external side of my firewall,
in addition to simply be random coming out of my resolver on the
internal net.
> I'm not exactly sure what you said, but I do know that if your
> firewall or port forwarder is changing the source ports of outbound
> queries to be something predictable, or to be all the same, then
> you have a problem. The patch on your name server is not enough -
> you also have to fix your firewall.
>
In English it translates close enough as: In one set of cases my
firewall was randomizing the ports from the original static values,
while in another set of cases it was not randomizing them from the
original static values. I found this very odd. Since applying the
patch they're random on both sides.
> Linux iptables does not appear to change source ports.
>
> Chris Buxton
> Professional Services
> Men & Mice
>
Not by default, but people have written custom netfilter/iptables
rules to do it.
iptables:
http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-
attacks-with-iptables.html
PF:
http://blog.spoofed.org/2008/07/mitigating-dns-cache-poisoning-with-
pf.html
Any way, I welcome the continued discussion as it seems like this
will be a very long and laborious procedure to get even 80% of
network infrastructure protected. I spent half the day today
tracking down servers at work that needed to be patched, and fixing
some that had query-source-port 53; //sigh
Fortunately smart folks have pointed out forwarding requests to
patched resolvers, or using packet filter port randomization as
immediate work-arounds until permanent solutions can be put into place.
Brian Keefer
Sr. Systems Engineer
www.Proofpoint.com
"Defend email. Protect data."
More information about the bind-users
mailing list