BIND update?
Tim Clewlow
tim at clewlow.org
Thu Jul 10 05:48:39 UTC 2008
>
> On Wed, 9 Jul 2008, Mike Tancsa wrote:
>
>> At 06:54 AM 7/9/2008, Oliver Fromme wrote:
>>> Andrew Storms wrote:
>>> > http://www.isc.org/index.pl?/sw/bind/bind-security.php
>>>
>>> I'm just wondering ...
>>>
>>> ISC's patches cause source ports to be randomized, thus
>>> making it more difficult to spoof response packets.
>>>
>>> But doesn't FreeBSD already randomize source ports by
>>> default? So, do FreeBSD systems require to be patched
>>> at all?
>>
>> It doesnt seem to do a very good job of it with bind for some
>> reason...
>> Perhaps because it picks a port and reuses it ?
>
> Yep, binding to a single query port and sticking to it is how BIND
> has
> operated for years.
>
> I just came up with a crazy idea, perhaps someone with more pf
> knowledge
> could answer this question:
>
> Can you make a pf rule that NATs all outgoing udp queries from BIND
> with
> random source ports? That seems like it would have exactly the same
> effect as BIND randomizing the source ports itself.
>
> Granted, updating BIND would probably be the better choice long
> term, but
> perhaps it'd be easier to push a new firewall rule out to a rack of
> machines.
>
Assuming this is NOT a gateway, ie a single homed DNS.
This has not been tested, and may not work, but anyway, how about:
nic="network interface name"
bind_port="source port number you have set bind to ALWAYS use"
nat on $nic from any port $bind_port to any -> ($nic)
This _should_ do a special nat of both udp and tcp traffic, ie keep
the same source IP but randomly pick a new source port.
I haven't had time to set up a jail/test DNS to try this on, maybe
it wont work at all, but that should give you an idea.
Cheers, Tim.
We are BSD ... resistance is futile.
http://www.freebsd.org/ - http://www.openbsd.org/ -
http://www.netbsd.org/
More information about the freebsd-security
mailing list