From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 16:29:13 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 85E42106566B; Fri, 11 Jul 2008 16:29:13 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 7EAC88FC14; Fri, 11 Jul 2008 16:29:13 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 660D51CC09A; Fri, 11 Jul 2008 09:29:13 -0700 (PDT) Date: Fri, 11 Jul 2008 09:29:13 -0700 From: Jeremy Chadwick To: Alan Clegg Message-ID: <20080711162913.GA55187@eos.sc1.parodius.com> References: <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> <200807111454.IAA18639@lariat.net> <20080711151228.GA52385@eos.sc1.parodius.com> <487782C5.7050703@clegg.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <487782C5.7050703@clegg.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Doug Barton , stef@memberwebs.com, "freebsd-security@freebsd.org" , secteam@freebsd.org, Brett Glass , Remko Lodder , Andrew Storms Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 16:29:13 -0000 On Fri, Jul 11, 2008 at 11:56:53AM -0400, Alan Clegg wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jeremy Chadwick wrote: > > On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote: > >> Is there a way to restrict the ports which BIND selects -- perhaps > >> at the expense of a small amount of entropy -- such that it doesn't > >> try to use UDP ports which are administratively blocked (e.g. ports > >> used by worms, or insecure Microsoft network utilities)? We don't > >> dare turn these port blocks off, or naive users will fall prey to > >> security holes in Microsoft products. But if BIND doesn't know to > >> work around them, lookups will occasionally (and infuriatingly!) > >> fail. > > > > query-source has an argument called "port" which will do what you want. > > That option *only* affects UDP queries, however; TCP queries are always > > random. > > While query-source allows you to lock down to a single port, you DO NOT > WANT TO DO THIS -- if you do, you will be vulnerable to the very thing > that the patch made you immune (well, safer) from. > > What Brett (and others) need to do is risk the waters with the new beta > code (9.4.3b2 and 9.5.1b1) which includes additional "fine-grained" > control for the UDP ports to be used. > > Please, PLEASE, do not introduce "query-source port XX" into your > configurations. The problem here is WRT network ACLs. The only solution is to bind BIND to a specific IP address and permit any outbound TCP or UDP traffic + any inbound TCP or UDP traffic to port 53. Most network administrators I know of won't like that, as they deny all incoming *and* outgoing traffic, then apply permit ACLs. There's no "clean" or "strict" permit ACL, while with port XX, you can at least narrow down things UDP-wise a bit more. I'll add that the stock src/etc/namedb/named.conf even advocates the use of query-source ... port 53. I'm sure this will be changed as a result of the recent security issue. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |