Vulnerability to cache poisoning -- the rest of the solution
Doug Barton
dougb at dougbarton.us
Mon Jul 14 21:17:00 UTC 2008
Jeff Lightner wrote:
> If that's the case why wouldn't we have needed to open firewall to allow
> this behavior for tcp?
Most even relatively modern firewalls do "tcp keep state" by default,
so when named picked a random ephemeral port to do its query the
firewall handled it as designed.
Most modern firewalls have an option to do "udp keep state," which may
or may not be on by default. In an ideal world, you will want to use
this option with the new *-P1 versions of BIND, without specifying a
UDP port to bind to.
In the alternative, you can open all UDP ports >1024 to your name
server's IP address. In practice this should not be a problem since
you don't have anything but named and sshd on that box, right? Just in
case you do have something else running that needs to bind a UDP port
you can use the combination of avoid-*-udp-ports in named.conf and
firewall rules to block those specific ports, and allow all the others.
In the various beta versions of BIND there is an option to specify a
range of ports for named to use for outgoing UDP queries, which should
make it easier to configure the firewall.
hope this helps,
Doug
More information about the bind-users
mailing list