[Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

Jeremy Chadwick koitsu at FreeBSD.org
Fri Jul 11 16:29:13 UTC 2008 

On Fri, Jul 11, 2008 at 11:56:53AM -0400, Alan Clegg wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jeremy Chadwick wrote:
> > On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote:
> >> Is there a way to restrict the ports which BIND selects -- perhaps
> >> at the expense of a small amount of entropy -- such that it doesn't
> >> try to use UDP ports which are administratively blocked (e.g. ports
> >> used by worms, or insecure Microsoft network utilities)? We don't 
> >> dare turn these port blocks off, or naive users will fall prey to 
> >> security holes in Microsoft products. But if BIND doesn't know to
> >> work around them, lookups will occasionally (and infuriatingly!)
> >> fail.
> > 
> > query-source has an argument called "port" which will do what you want.
> > That option *only* affects UDP queries, however; TCP queries are always
> > random.
> 
> While query-source allows you to lock down to a single port, you DO NOT
> WANT TO DO THIS -- if you do, you will be vulnerable to the very thing
> that the patch made you immune (well, safer) from.
> 
> What Brett (and others) need to do is risk the waters with the new beta
> code (9.4.3b2 and 9.5.1b1) which includes additional "fine-grained"
> control for the UDP ports to be used.
> 
> Please, PLEASE, do not introduce "query-source port XX" into your
> configurations.

The problem here is WRT network ACLs.  The only solution is to bind BIND
to a specific IP address and permit any outbound TCP or UDP traffic +
any inbound TCP or UDP traffic to port 53.  Most network administrators
I know of won't like that, as they deny all incoming *and* outgoing
traffic, then apply permit ACLs.  There's no "clean" or "strict" permit
ACL, while with port XX, you can at least narrow down things UDP-wise a
bit more.

I'll add that the stock src/etc/namedb/named.conf even advocates the use
of query-source ... port 53.  I'm sure this will be changed as a result
of the recent security issue.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-security mailing list