From owner-freebsd-stable@FreeBSD.ORG Mon Jul 21 22:31:55 2008 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5669B1065672 for ; Mon, 21 Jul 2008 22:31:55 +0000 (UTC) (envelope-from spork@bway.net) Received: from xena.bway.net (xena.bway.net [216.220.96.26]) by mx1.freebsd.org (Postfix) with ESMTP id 046F38FC17 for ; Mon, 21 Jul 2008 22:31:54 +0000 (UTC) (envelope-from spork@bway.net) Received: (qmail 51296 invoked by uid 0); 21 Jul 2008 22:31:53 -0000 Received: from unknown (HELO ?192.168.0.220?) (spork@216.220.116.154) by smtp.bway.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 21 Jul 2008 22:31:53 -0000 Date: Mon, 21 Jul 2008 18:31:53 -0400 (EDT) From: Charles Sprickman X-X-Sender: spork@hotlap.local To: Kevin Oberman In-Reply-To: <20080721202418.7CF9B4500E@ptavv.es.net> Message-ID: References: <20080721202418.7CF9B4500E@ptavv.es.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Max Laier , stable@freebsd.org, Doug Barton , freebsd-stable@freebsd.org, Brett Glass Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 22:31:55 -0000 On Mon, 21 Jul 2008, Kevin Oberman wrote: >> From: Max Laier >> Date: Mon, 21 Jul 2008 21:38:46 +0200 >> Sender: owner-freebsd-stable@freebsd.org >> >> On Monday 21 July 2008 21:14:22 Doug Barton wrote: >>> Brett Glass wrote: >>> | Everyone: >>> | >>> | Will FreeBSD 7.1 be released in time to use it as an upgrade to >>> | close the BIND cache poisoning hole? >>> >>> Brett, et al, >>> >>> I'll make this simple for you. If you have a server that is running >>> BIND, update BIND now. If you need to use the ports, that's fine, just >>> do it now. Make sure that you are not specifying a port via any >>> query-source* options in named.conf, and that any firewall between >>> your named process and the outside world does keep-state on outgoing >>> UDP packets. >> >> ... and that any NAT device employs at least a somewhat random port >> allocation mechanism - pf provides this. > > And, if you are not sure how good a job it does (and I am not), you > should use the OARC test to check how well it works: > dig +short porttest.dns-oarc.net TXT > > If the result is not "GOOD", it's not good enough. I was playing around with this a bit. It seems like a patched server will give a standard deviation of more than 18,000. If I make some queries behind a one-to-many NAT using pf, it falls to somewhere around 6,000 (with a patched BIND - unpatched is pitiful). PF is not *adding* any randomness to unpatched servers. Since it has a (non-configurable?) range of ports it will grab when doing outbound NAT, the results are not as good as with no NAT intervention, but passable I suppose. Of course in a 1:1 NAT setup it is transparent. Charles > You can test a remote server by adding "@remote-server" to the dig > command. The server may be specified by name or IP address. > > Don't forget that ANY server that caches data, including an end system > running a caching only server is vulnerable. > -- > R. Kevin Oberman, Network Engineer > Energy Sciences Network (ESnet) > Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) > E-mail: oberman@es.net Phone: +1 510 486-8634 > Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 >