Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 9 Jul 2008 23:41:54 -0500 (CDT)
From:      Mike Silbersack <silby@silby.com>
To:        Mike Tancsa <mike@sentex.net>
Cc:        freebsd-security@freebsd.org, Oliver Fromme <olli@lurza.secnetix.de>
Subject:   Re: BIND update?
Message-ID:  <20080709233650.B3813@odysseus.silby.com>
In-Reply-To: <200807091209.m69C9Gsl030319@lava.sentex.ca>
References:  <C4990135.1A0907%astorms@ncircle.com> <200807091054.m69As4eH065391@lurza.secnetix.de> <200807091209.m69C9Gsl030319@lava.sentex.ca>

next in thread | previous in thread | raw e-mail | index | archive | help

On Wed, 9 Jul 2008, Mike Tancsa wrote:

> At 06:54 AM 7/9/2008, Oliver Fromme wrote:
>> Andrew Storms wrote:
>>  > http://www.isc.org/index.pl?/sw/bind/bind-security.php
>> 
>> I'm just wondering ...
>> 
>> ISC's patches cause source ports to be randomized, thus
>> making it more difficult to spoof response packets.
>> 
>> But doesn't FreeBSD already randomize source ports by
>> default?  So, do FreeBSD systems require to be patched
>> at all?
>
> It doesnt seem to do a very good job of it with bind for some reason... 
> Perhaps because it picks a port and reuses it ?

Yep, binding to a single query port and sticking to it is how BIND has 
operated for years.

I just came up with a crazy idea, perhaps someone with more pf knowledge 
could answer this question:

Can you make a pf rule that NATs all outgoing udp queries from BIND with 
random source ports?  That seems like it would have exactly the same 
effect as BIND randomizing the source ports itself.

Granted, updating BIND would probably be the better choice long term, but 
perhaps it'd be easier to push a new firewall rule out to a rack of 
machines.

Mike "Silby" Silbersack



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080709233650.B3813>