Risks of patched servers behind de-randomizing NAT
Kirk
bind at kirkb.net
Fri Aug 1 11:43:25 UTC 2008
Mark Andrews wrote:
>> David Carmean pisze:
>>> I seem to have lost a message where somebody from ISC (Paul?) was going to
>>> release an updated/new advisory regarding the source-port de-randomizing
>>> effects of many NAT implementations will have upon patched servers.
>> But why someone puts a DNS server behind a NAT? It's a bit nonsensical...
>
> There are lots of reasons to put a recursive server behind
> a NAT. It's something that just "should work" and does if
> you arn't trying to introduce entroy by randomising ports.
>
> Note. Not all NATs have bad behaviours in this respect. Some try
> to preserve the internal port.
>
> MArk
>
This is slightly off topic. However, I thought it appropriate to share.
At home I have two recursive servers sitting on a private lan behind a
Cisco PIX 501. These servers are mostly to play with, but also provides
recursion to all the nodes in my house.
After upgrading these servers to the latest patched version of BIND, I
tried the porttest query to test randomization. Well, both got POOR
ratings. This led me to believe that my PIX was the culprit.
Last night, I spent close to 30 with the Cisco help desk trying to get
assistance, only to find that because my unit was out of warranty and I
had no contract, they could be of no help. They suggested I open a
"web-help" ticket with Cisco. This also returned no help for the same
reason. Also, my appliance is already at the highest code OS leve.
I guess those of us who purchased Cisco products that are out of
warranty and under no contract are at risk until we purchase some new
appliance.
http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml
Sorry for the rant, but it "seemed" sort of appropriate here in this thread.
- Kirk
More information about the bind-users
mailing list