Date: Thu, 10 Jul 2008 15:33:00 +1000 (EST) From: "Tim Clewlow" <tim@clewlow.org> To: "Mike Silbersack" <silby@silby.com> Cc: freebsd-security@freebsd.org, Oliver Fromme <olli@lurza.secnetix.de> Subject: Re: BIND update? Message-ID: <53413.192.168.1.10.1215667980.squirrel@192.168.1.100> In-Reply-To: <20080709233650.B3813@odysseus.silby.com> References: <C4990135.1A0907%astorms@ncircle.com> <200807091054.m69As4eH065391@lurza.secnetix.de> <200807091209.m69C9Gsl030319@lava.sentex.ca> <20080709233650.B3813@odysseus.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > On Wed, 9 Jul 2008, Mike Tancsa wrote: > >> At 06:54 AM 7/9/2008, Oliver Fromme wrote: >>> Andrew Storms wrote: >>> > http://www.isc.org/index.pl?/sw/bind/bind-security.php >>> >>> I'm just wondering ... >>> >>> ISC's patches cause source ports to be randomized, thus >>> making it more difficult to spoof response packets. >>> >>> But doesn't FreeBSD already randomize source ports by >>> default? So, do FreeBSD systems require to be patched >>> at all? >> >> It doesnt seem to do a very good job of it with bind for some >> reason... >> Perhaps because it picks a port and reuses it ? > > Yep, binding to a single query port and sticking to it is how BIND > has > operated for years. > > I just came up with a crazy idea, perhaps someone with more pf > knowledge > could answer this question: > > Can you make a pf rule that NATs all outgoing udp queries from BIND > with > random source ports? That seems like it would have exactly the same > effect as BIND randomizing the source ports itself. > > Granted, updating BIND would probably be the better choice long > term, but > perhaps it'd be easier to push a new firewall rule out to a rack of > machines. > Assuming this is NOT a gateway, ie a single homed DNS. This has not been tested, and may not work, but anyway, how about: nic="network interface name" bind_port="source port number you have set bind to ALWAYS use" nat on $nic from any port $bind_port to any -> ($nic) This _should_ do a special nat of both udp and tcp traffic, ie keep the same source IP but randomly pick a new source port. I haven't had time to set up a jail/test DNS to try this on, maybe it wont work at all, but that should give you an idea. Cheers, Tim. We are BSD ... resistance is futile. http://www.freebsd.org/ - http://www.openbsd.org/ - http://www.netbsd.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53413.192.168.1.10.1215667980.squirrel>