Risks of patched servers behind de-randomizing NAT

Jeff Reasoner jeff.reasoner at mail.hccanet.org
Fri Aug 1 17:57:19 UTC 2008 

OT, I agree, but certainly relevant to the issue at hand.

I noticed the same thing a couple of weeks ago after I upgraded to
9.4.2-P1. It is absolutely the PIX and will happen with 6.x through 8.x
code.
However, this issue is related to how the code PATs outbound traffic and
can be resolved by setting up a static NAT for the nameserver.

You can do this on the fly by adding (adjusting for actual interface
names):

static (inside,outside) ...

and then

clear xlate local <IP addr>
clear xlate global <IP addr>

At that point the various DNS tests mentioned on the list should report
good results.

Of course, all this assumes you are being routed enough public IP
address space and have a free address to use...


On Fri, 2008-08-01 at 06:43 -0500, Kirk wrote:
> Mark Andrews wrote:
> >> David Carmean pisze:
> >>> I seem to have lost a message where somebody from ISC (Paul?) was going to
> >>> release an updated/new advisory regarding the source-port de-randomizing
> >>> effects of many NAT implementations will have upon patched servers.  
> >> But why someone puts a DNS server behind a NAT? It's a bit nonsensical...
> > 
> > 	There are lots of reasons to put a recursive server behind
> > 	a NAT.  It's something that just "should work" and does if
> > 	you arn't trying to introduce entroy by randomising ports.
> > 
> > 	Note. Not all NATs have bad behaviours in this respect.  Some try
> > 	to preserve the internal port.
> > 
> > 	MArk
> > 	
> 
> 
> This is slightly off topic.  However, I thought it appropriate to share.
> 
> At home I have two recursive servers sitting on a private lan behind a 
> Cisco PIX 501.  These servers are mostly to play with, but also provides 
> recursion to all the nodes in my house.
> 
> After upgrading these servers to the latest patched version of BIND, I 
> tried the porttest query to test randomization.  Well, both got POOR 
> ratings.  This led me to believe that my PIX was the culprit.
> 
> Last night, I spent close to 30 with the Cisco help desk trying to get 
> assistance, only to find that because my unit was out of warranty and I 
> had no contract, they could be of no help.  They suggested  I open a 
> "web-help" ticket with Cisco.  This also returned no help for the same 
> reason.  Also, my appliance is already at the highest code OS leve.
> 
> I guess those of us who purchased Cisco products that are out of 
> warranty and under no contract are at risk until we purchase some new 
> appliance.
> 
> http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml
> 
> Sorry for the rant, but it "seemed" sort of appropriate here in this thread.
> 
> - Kirk
>

More information about the bind-users mailing list