Date: Fri, 11 Jul 2008 09:29:13 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Alan Clegg <alan@clegg.com> Cc: Doug Barton <dougb@freebsd.org>, stef@memberwebs.com, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, secteam@freebsd.org, Brett Glass <brett@lariat.net>, Remko Lodder <remko@freebsd.org>, Andrew Storms <astorms@ncircle.com> Subject: Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo] Message-ID: <20080711162913.GA55187@eos.sc1.parodius.com> In-Reply-To: <487782C5.7050703@clegg.com> References: <C49A67C5.1A0CBA%astorms@ncircle.com> <20080709204114.471A2F1835D@mx.npubs.com> <4876A3FE.1070407@FreeBSD.org> <200807111454.IAA18639@lariat.net> <20080711151228.GA52385@eos.sc1.parodius.com> <487782C5.7050703@clegg.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 11, 2008 at 11:56:53AM -0400, Alan Clegg wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jeremy Chadwick wrote: > > On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote: > >> Is there a way to restrict the ports which BIND selects -- perhaps > >> at the expense of a small amount of entropy -- such that it doesn't > >> try to use UDP ports which are administratively blocked (e.g. ports > >> used by worms, or insecure Microsoft network utilities)? We don't > >> dare turn these port blocks off, or naive users will fall prey to > >> security holes in Microsoft products. But if BIND doesn't know to > >> work around them, lookups will occasionally (and infuriatingly!) > >> fail. > > > > query-source has an argument called "port" which will do what you want. > > That option *only* affects UDP queries, however; TCP queries are always > > random. > > While query-source allows you to lock down to a single port, you DO NOT > WANT TO DO THIS -- if you do, you will be vulnerable to the very thing > that the patch made you immune (well, safer) from. > > What Brett (and others) need to do is risk the waters with the new beta > code (9.4.3b2 and 9.5.1b1) which includes additional "fine-grained" > control for the UDP ports to be used. > > Please, PLEASE, do not introduce "query-source port XX" into your > configurations. The problem here is WRT network ACLs. The only solution is to bind BIND to a specific IP address and permit any outbound TCP or UDP traffic + any inbound TCP or UDP traffic to port 53. Most network administrators I know of won't like that, as they deny all incoming *and* outgoing traffic, then apply permit ACLs. There's no "clean" or "strict" permit ACL, while with port XX, you can at least narrow down things UDP-wise a bit more. I'll add that the stock src/etc/namedb/named.conf even advocates the use of query-source ... port 53. I'm sure this will be changed as a result of the recent security issue. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080711162913.GA55187>