From owner-freebsd-security@FreeBSD.ORG  Thu Jul 10 05:08:37 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 949D5106567D
	for <freebsd-security@freebsd.org>;
	Thu, 10 Jul 2008 05:08:37 +0000 (UTC) (envelope-from silby@silby.com)
Received: from relay00.pair.com (relay00.pair.com [209.68.5.9])
	by mx1.freebsd.org (Postfix) with SMTP id 274DC8FC1B
	for <freebsd-security@freebsd.org>;
	Thu, 10 Jul 2008 05:08:36 +0000 (UTC) (envelope-from silby@silby.com)
Received: (qmail 32587 invoked from network); 10 Jul 2008 04:41:55 -0000
Received: from unknown (HELO localhost) (unknown)
	by unknown with SMTP; 10 Jul 2008 04:41:55 -0000
X-pair-Authenticated: 209.68.2.70
Date: Wed, 9 Jul 2008 23:41:54 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Mike Tancsa <mike@sentex.net>
In-Reply-To: <200807091209.m69C9Gsl030319@lava.sentex.ca>
Message-ID: <20080709233650.B3813@odysseus.silby.com>
References: <C4990135.1A0907%astorms@ncircle.com>
	<200807091054.m69As4eH065391@lurza.secnetix.de>
	<200807091209.m69C9Gsl030319@lava.sentex.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-security@freebsd.org, Oliver Fromme <olli@lurza.secnetix.de>
Subject: Re: BIND update?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jul 2008 05:08:37 -0000


On Wed, 9 Jul 2008, Mike Tancsa wrote:

> At 06:54 AM 7/9/2008, Oliver Fromme wrote:
>> Andrew Storms wrote:
>>  > http://www.isc.org/index.pl?/sw/bind/bind-security.php
>> 
>> I'm just wondering ...
>> 
>> ISC's patches cause source ports to be randomized, thus
>> making it more difficult to spoof response packets.
>> 
>> But doesn't FreeBSD already randomize source ports by
>> default?  So, do FreeBSD systems require to be patched
>> at all?
>
> It doesnt seem to do a very good job of it with bind for some reason... 
> Perhaps because it picks a port and reuses it ?

Yep, binding to a single query port and sticking to it is how BIND has 
operated for years.

I just came up with a crazy idea, perhaps someone with more pf knowledge 
could answer this question:

Can you make a pf rule that NATs all outgoing udp queries from BIND with 
random source ports?  That seems like it would have exactly the same 
effect as BIND randomizing the source ports itself.

Granted, updating BIND would probably be the better choice long term, but 
perhaps it'd be easier to push a new firewall rule out to a rack of 
machines.

Mike "Silby" Silbersack