PNAT vs. vuln.
Chris Buxton
cbuxton at menandmice.com
Sat Jul 19 17:59:19 UTC 2008
On Jul 19, 2008, at 10:13 AM, David Carmean wrote:
> So does standard PNAT just negate any advantage given by the
> recent patches? Or is there more to it than just source port
> randomness.
If by PNAT you mean port mapping by a NAT device, the answer is often
yes. It depends on the implementation. For example, Linux iptables
does not appear to cause problems.
The problem here is that, in masquerading the outbound IP of the
query, the NAT device may also change the outbound source port, often
using a predictable sequence. Or it may change all outbound queries to
use the same port.
Ideally, the NAT router would only change the source port if the
original source port conflicted with a port already in use, such as
from an outbound query from another name server behind the same NAT
router.
Chris Buxton
Professional Services
Men & Mice
More information about the bind-users
mailing list