Insufficient DNS Source Port Randmoization
Pete Fong
petefong2012 at gmail.com
Thu Jul 28 08:08:10 UTC 2011
Hi, Matus UHLAR
No, The scanner PC and DNS server is connected by crossover cable in
my environment. Therefore I have not any idea.
Thanks a lot,
Pete Fong
2011/7/28 Matus UHLAR - fantomas <uhlar at fantomas.sk>:
> On 28.07.11 15:33, Pete Fong wrote:
>>
>> My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for
>> DNS server. I have installed bind-9.7.3P3-0.2.1
>>
>> Our external auditor used "NeXpose" for scanning my system. It showed
>> "Insufficient DNS Source Port Randomization Vulnerability".
>
> The insufficient randomization was afaik fixed in 9.5.0.
>
>> Therefore
>> I have followed BIND 9 Configuration Reference Guide, I have adjusted
>> named.conf configuration file as below :
>>
>> query-source address * port * ;
>> query-source-v6 address * port *;
>>
>> use-v4-udp-ports { range 1024 65535; };
>> use-v6-upd-ports ( range 1024 65535; };
>
> Did you have these before? I think that BIND tries those ports by default,
> so configuring them should not affect it.
>
>> But I am not lucky, The NeXpose software still showed the same
>> vulnerability. Anybody has some issue ? Anybody can help me ?
>
> Is your resolving server behind firewall? Does the firewall change source
> port?
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Nothing is fool-proof to a talented fool.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list