BIND update?
Mike Silbersack
silby at silby.com
Thu Jul 10 05:08:37 UTC 2008
On Wed, 9 Jul 2008, Mike Tancsa wrote:
> At 06:54 AM 7/9/2008, Oliver Fromme wrote:
>> Andrew Storms wrote:
>> > http://www.isc.org/index.pl?/sw/bind/bind-security.php
>>
>> I'm just wondering ...
>>
>> ISC's patches cause source ports to be randomized, thus
>> making it more difficult to spoof response packets.
>>
>> But doesn't FreeBSD already randomize source ports by
>> default? So, do FreeBSD systems require to be patched
>> at all?
>
> It doesnt seem to do a very good job of it with bind for some reason...
> Perhaps because it picks a port and reuses it ?
Yep, binding to a single query port and sticking to it is how BIND has
operated for years.
I just came up with a crazy idea, perhaps someone with more pf knowledge
could answer this question:
Can you make a pf rule that NATs all outgoing udp queries from BIND with
random source ports? That seems like it would have exactly the same
effect as BIND randomizing the source ports itself.
Granted, updating BIND would probably be the better choice long term, but
perhaps it'd be easier to push a new firewall rule out to a rack of
machines.
Mike "Silby" Silbersack
More information about the freebsd-security
mailing list