Insufficient DNS Source Port Randmoization

Danilo Godec danilo.godec at agenda.si
Thu Jul 28 08:37:02 UTC 2011 

If I understand correctly, the connection between the scanner PC and 
your DNS server is not really the issue here.

What can cause problems is a firewall between your DNS server and the 
Internet.


    Danilo



On 07/28/2011 10:08 AM, Pete Fong wrote:
> Hi, Matus UHLAR
>
> No, The scanner PC and  DNS server is connected by crossover cable in
> my environment. Therefore I have not any idea.
>
> Thanks a lot,
> Pete Fong
>
> 2011/7/28 Matus UHLAR - fantomas<uhlar at fantomas.sk>:
>> On 28.07.11 15:33, Pete Fong wrote:
>>> My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for
>>> DNS server. I have installed bind-9.7.3P3-0.2.1
>>>
>>> Our external auditor used "NeXpose" for scanning my system. It showed
>>> "Insufficient DNS Source Port Randomization Vulnerability".
>> The insufficient randomization was afaik fixed in 9.5.0.
>>
>>> Therefore
>>> I have followed BIND 9 Configuration Reference Guide, I have adjusted
>>> named.conf configuration file as below :
>>>
>>> query-source address * port * ;
>>> query-source-v6 address * port *;
>>>
>>> use-v4-udp-ports { range 1024 65535; };
>>> use-v6-upd-ports ( range 1024 65535; };
>> Did you have these before? I think that BIND tries those ports by default,
>> so configuring them should not affect it.
>>
>>> But I am not lucky, The NeXpose software still showed the same
>>> vulnerability. Anybody has some issue ? Anybody can help me ?
>> Is your resolving server behind firewall? Does the firewall change source
>> port?
>> --
>> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
>> Warning: I wish NOT to receive e-mail advertising to this address.
>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>> Nothing is fool-proof to a talented fool.
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


-- 
Danilo Godec, sistemska podpora / system administration

Predlog! Obiscite prenovljeno spletno stran www.agenda.si

ODPRTA KODA IN LINUX
STORITVE : POSLOVNE RESITVE : UPRAVLJANJE IT : INFRASTRUKTURA IT : IZOBRAZEVANJE : PROGRAMSKA OPREMA

Visit our updated web page at www.agenda.si

OPEN SOURCE AND LINUX
SERVICES : BUSINESS SOLUTIONS : IT MANAGEMENT : IT INFRASTRUCTURE : TRAINING : SOFTWARE

More information about the bind-users mailing list