dns exploit
Brian Keefer
chort at smtps.net
Sat Jul 26 06:30:49 UTC 2008
On Jul 25, 2008, at 11:20 PM, Chris Buxton wrote:
> On Jul 25, 2008, at 11:02 PM, Brian Keefer wrote:
>
>> On Jul 25, 2008, at 10:43 PM, Chris Buxton wrote:
>>
>>> That sure seems like a lot of work when you could just:
>>>
>>> dig porttest.dns-oarc.net txt +short @server-ip
>>>
>>
>> Also, I noticed that doxpara/noclicky have different results for my
>> nameservers than porttest.dns-oarc.net has. doxpara says I fail,
>> dns-
>> oarc.net says I pass. Looking at a tcpdump I see that the queries
>> indeed use the same port for doxpara, but different ports for dns-
>> oarc. I haven't had a chance to look closely enough yet to figure
>> out why that is.
>>
> As for the different results, all I can say is that's pretty odd.
> I'd like to know what ISC has to say about this.
>
> Chris Buxton
> Professional Services
> Men & Mice
>
I just looked at it a bit more closely...
I'm using OpenBSD for my firewall and my nameservers. The firewall
is 3.5, the nameservers are 4.3. The firewall is just doing standard
PF nat for outbound requests. Whether I used the doxpara tool, or
dns-oarc the source ports from my recursive resolver were the same
(pre-patch), but on the external interface of my firewall, the
packets to doxpara did not get randomized ports, while those to dns-
oarc did. Post-patch the resolver itself has random source ports, so
it's moot.
There have been several suggestions for writing PF nat statements to
cover this vulnerability, and other folks supposedly had luck with
them, so perhaps something changed with PF's randomization since
3.5? I haven't had enough spare time to comb the commit comments...
Dan did mention something in his blog about not having updated his
tool to account for iptables or PF randomization, but I'm not sure
why the tool being able to force the same source port is a bug with
his script rather than a way to defeat said packet filter
randomization...
Brian Keefer
Sr. Systems Engineer
www.Proofpoint.com
"Defend email. Protect data."
More information about the bind-users
mailing list