Date: Mon, 21 Jul 2008 18:31:53 -0400 (EDT) From: Charles Sprickman <spork@bway.net> To: Kevin Oberman <oberman@es.net> Cc: Max Laier <max@love2party.net>, stable@freebsd.org, Doug Barton <dougb@freebsd.org>, freebsd-stable@freebsd.org, Brett Glass <brett@lariat.net> Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <Pine.OSX.4.64.0807211828401.7101@hotlap.local> In-Reply-To: <20080721202418.7CF9B4500E@ptavv.es.net> References: <20080721202418.7CF9B4500E@ptavv.es.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 21 Jul 2008, Kevin Oberman wrote: >> From: Max Laier <max@love2party.net> >> Date: Mon, 21 Jul 2008 21:38:46 +0200 >> Sender: owner-freebsd-stable@freebsd.org >> >> On Monday 21 July 2008 21:14:22 Doug Barton wrote: >>> Brett Glass wrote: >>> | Everyone: >>> | >>> | Will FreeBSD 7.1 be released in time to use it as an upgrade to >>> | close the BIND cache poisoning hole? >>> >>> Brett, et al, >>> >>> I'll make this simple for you. If you have a server that is running >>> BIND, update BIND now. If you need to use the ports, that's fine, just >>> do it now. Make sure that you are not specifying a port via any >>> query-source* options in named.conf, and that any firewall between >>> your named process and the outside world does keep-state on outgoing >>> UDP packets. >> >> ... and that any NAT device employs at least a somewhat random port >> allocation mechanism - pf provides this. > > And, if you are not sure how good a job it does (and I am not), you > should use the OARC test to check how well it works: > dig +short porttest.dns-oarc.net TXT > > If the result is not "GOOD", it's not good enough. I was playing around with this a bit. It seems like a patched server will give a standard deviation of more than 18,000. If I make some queries behind a one-to-many NAT using pf, it falls to somewhere around 6,000 (with a patched BIND - unpatched is pitiful). PF is not *adding* any randomness to unpatched servers. Since it has a (non-configurable?) range of ports it will grab when doing outbound NAT, the results are not as good as with no NAT intervention, but passable I suppose. Of course in a 1:1 NAT setup it is transparent. Charles > You can test a remote server by adding "@remote-server" to the dig > command. The server may be specified by name or IP address. > > Don't forget that ANY server that caches data, including an end system > running a caching only server is vulnerable. > -- > R. Kevin Oberman, Network Engineer > Energy Sciences Network (ESnet) > Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) > E-mail: oberman@es.net Phone: +1 510 486-8634 > Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSX.4.64.0807211828401.7101>