Date: Thu, 10 Jul 2008 00:54:14 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Tim Clewlow <tim@clewlow.org> Cc: freebsd-security@freebsd.org, Oliver Fromme <olli@lurza.secnetix.de> Subject: Re: BIND update? Message-ID: <20080710004835.S5394@odysseus.silby.com> In-Reply-To: <53413.192.168.1.10.1215667980.squirrel@192.168.1.100> References: <C4990135.1A0907%astorms@ncircle.com> <200807091054.m69As4eH065391@lurza.secnetix.de> <200807091209.m69C9Gsl030319@lava.sentex.ca> <20080709233650.B3813@odysseus.silby.com> <53413.192.168.1.10.1215667980.squirrel@192.168.1.100>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 10 Jul 2008, Tim Clewlow wrote: >> Can you make a pf rule that NATs all outgoing udp queries from BIND >> with >> random source ports? That seems like it would have exactly the same >> effect as BIND randomizing the source ports itself. > > Assuming this is NOT a gateway, ie a single homed DNS. > > This has not been tested, and may not work, but anyway, how about: > > nic="network interface name" > bind_port="source port number you have set bind to ALWAYS use" > nat on $nic from any port $bind_port to any -> ($nic) > > This _should_ do a special nat of both udp and tcp traffic, ie keep > the same source IP but randomly pick a new source port. > > I haven't had time to set up a jail/test DNS to try this on, maybe > it wont work at all, but that should give you an idea. > > Cheers, Tim. Yes, using pf's NAT seems to work, although doxpara's checker claims that it is not working. Here's what tcpdump on the external side of NAT shows me after I nat port 53 traffic: 06:05:56.469558 IP SILBYIP.60153 > 209.85.139.9.53: 9078% [1au] A? www.l.google.com. (45) 06:05:56.535407 IP 209.85.139.9.53 > SILBYIP.60153: 9078*- 3/0/0 A 64.233.167.99,[|domain] 06:06:03.767643 IP SILBYIP.59956 > 216.239.36.10.53: 21333% [1au] A? news.google.com. (44) 06:06:03.817520 IP 216.239.36.10.53 > SILBYIP.59956: 21333*- 1/7/8 CNAME news.l.google.com. (289) 06:06:03.818565 IP SILBYIP.55784 > 64.233.167.9.53: 61468% [1au] A? news.l.google.com. (46) 06:06:03.840510 IP 64.233.167.9.53 > SILBYIP.55784: 61468*- 2/0/0 A 72.14.207.104, (67) 06:06:16.830837 IP SILBYIP.59956 > 216.239.36.10.53: 59557% [1au] A? maps.google.com. (44) 06:06:16.880945 IP 216.239.36.10.53 > SILBYIP.59956: 59557*- 1/7/8 CNAME maps.l.google.com. (289) 06:06:16.881988 IP SILBYIP.63680 > 209.85.137.9.53: 11160% [1au] A? maps.l.google.com. (46) 06:06:17.025439 IP 209.85.137.9.53 > SILBYIP.63680: 11160*- 3/0/0 A 64.233.167.104,[|domain] As you can see, we get a different source port for each server that we connect to. I would assume that makes us secure. But the checker at doxpara doesn't think we're secure because it's just one server that we're connecting to repeatedly. 06:06:45.127850 IP SILBYIP.57575 > 209.200.168.66.53: 38156% [1au] A? 46e004a4f29d.toorrr.com. (52) 06:06:45.238227 IP 209.200.168.66.53 > SILBYIP.57575: 38156*- 1/0/0 CNAME[|domain] 06:06:45.239020 IP SILBYIP.57575 > 209.200.168.66.53: 11461% [1au][|domain] 06:06:45.351066 IP 209.200.168.66.53 > SILBYIP.57575: 11461*-[|domain] 06:06:45.351836 IP SILBYIP.57575 > 209.200.168.66.53: 57564% [1au][|domain] 06:06:45.466886 IP 209.200.168.66.53 > SILBYIP.57575: 57564*-[|domain] 06:06:45.467658 IP SILBYIP.57575 > 209.200.168.66.53: 31106% [1au][|domain] 06:06:45.580640 IP 209.200.168.66.53 > SILBYIP.57575: 31106*-[|domain] 06:06:45.581619 IP SILBYIP.57575 > 209.200.168.66.53: 4662% [1au][|domain] 06:06:45.692804 IP 209.200.168.66.53 > SILBYIP.57575: 4662*-[|domain] So there we go, we saved the internet with NAT. :) -Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080710004835.S5394>