Vulnerability to cache poisoning -- the rest of the solution

[Doug Barton]

Jeff Lightner wrote:
> If that's the case why wouldn't we have needed to open firewall to allow
> this behavior for tcp?

Most even relatively modern firewalls do "tcp keep state" by default, 
so when named picked a random ephemeral port to do its query the 
firewall handled it as designed.

Most modern firewalls have an option to do "udp keep state," which may 
or may not be on by default. In an ideal world, you will want to use 
this option with the new *-P1 versions of BIND, without specifying a 
UDP port to bind to.

In the alternative, you can open all UDP ports >1024 to your name 
server's IP address. In practice this should not be a problem since 
you don't have anything but named and sshd on that box, right? Just in 
case you do have something else running that needs to bind a UDP port 
you can use the combination of avoid-*-udp-ports in named.conf and 
firewall rules to block those specific ports, and allow all the others.

In the various beta versions of BIND there is an option to specify a 
range of ports for named to use for outgoing UDP queries, which should 
make it easier to configure the firewall.

hope this helps,

Doug