BIND update?
Mike Silbersack
silby at silby.com
Thu Jul 10 05:54:18 UTC 2008
On Thu, 10 Jul 2008, Tim Clewlow wrote:
>> Can you make a pf rule that NATs all outgoing udp queries from BIND
>> with
>> random source ports? That seems like it would have exactly the same
>> effect as BIND randomizing the source ports itself.
>
> Assuming this is NOT a gateway, ie a single homed DNS.
>
> This has not been tested, and may not work, but anyway, how about:
>
> nic="network interface name"
> bind_port="source port number you have set bind to ALWAYS use"
> nat on $nic from any port $bind_port to any -> ($nic)
>
> This _should_ do a special nat of both udp and tcp traffic, ie keep
> the same source IP but randomly pick a new source port.
>
> I haven't had time to set up a jail/test DNS to try this on, maybe
> it wont work at all, but that should give you an idea.
>
> Cheers, Tim.
Yes, using pf's NAT seems to work, although doxpara's checker claims that
it is not working.
Here's what tcpdump on the external side of NAT shows me after I nat port
53 traffic:
06:05:56.469558 IP SILBYIP.60153 > 209.85.139.9.53: 9078% [1au] A? www.l.google.com. (45)
06:05:56.535407 IP 209.85.139.9.53 > SILBYIP.60153: 9078*- 3/0/0 A 64.233.167.99,[|domain]
06:06:03.767643 IP SILBYIP.59956 > 216.239.36.10.53: 21333% [1au] A? news.google.com. (44)
06:06:03.817520 IP 216.239.36.10.53 > SILBYIP.59956: 21333*- 1/7/8 CNAME news.l.google.com. (289)
06:06:03.818565 IP SILBYIP.55784 > 64.233.167.9.53: 61468% [1au] A? news.l.google.com. (46)
06:06:03.840510 IP 64.233.167.9.53 > SILBYIP.55784: 61468*- 2/0/0 A 72.14.207.104, (67)
06:06:16.830837 IP SILBYIP.59956 > 216.239.36.10.53: 59557% [1au] A? maps.google.com. (44)
06:06:16.880945 IP 216.239.36.10.53 > SILBYIP.59956: 59557*- 1/7/8 CNAME maps.l.google.com. (289)
06:06:16.881988 IP SILBYIP.63680 > 209.85.137.9.53: 11160% [1au] A? maps.l.google.com. (46)
06:06:17.025439 IP 209.85.137.9.53 > SILBYIP.63680: 11160*- 3/0/0 A 64.233.167.104,[|domain]
As you can see, we get a different source port for each server that we
connect to. I would assume that makes us secure.
But the checker at doxpara doesn't think we're secure because it's just
one server that we're connecting to repeatedly.
06:06:45.127850 IP SILBYIP.57575 > 209.200.168.66.53: 38156% [1au] A? 46e004a4f29d.toorrr.com. (52)
06:06:45.238227 IP 209.200.168.66.53 > SILBYIP.57575: 38156*- 1/0/0 CNAME[|domain]
06:06:45.239020 IP SILBYIP.57575 > 209.200.168.66.53: 11461% [1au][|domain]
06:06:45.351066 IP 209.200.168.66.53 > SILBYIP.57575: 11461*-[|domain]
06:06:45.351836 IP SILBYIP.57575 > 209.200.168.66.53: 57564% [1au][|domain]
06:06:45.466886 IP 209.200.168.66.53 > SILBYIP.57575: 57564*-[|domain]
06:06:45.467658 IP SILBYIP.57575 > 209.200.168.66.53: 31106% [1au][|domain]
06:06:45.580640 IP 209.200.168.66.53 > SILBYIP.57575: 31106*-[|domain]
06:06:45.581619 IP SILBYIP.57575 > 209.200.168.66.53: 4662% [1au][|domain]
06:06:45.692804 IP 209.200.168.66.53 > SILBYIP.57575: 4662*-[|domain]
So there we go, we saved the internet with NAT. :)
-Mike
More information about the freebsd-security
mailing list