Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 21 Jul 2008 18:31:53 -0400 (EDT)
From:      Charles Sprickman <spork@bway.net>
To:        Kevin Oberman <oberman@es.net>
Cc:        Max Laier <max@love2party.net>, stable@freebsd.org, Doug Barton <dougb@freebsd.org>, freebsd-stable@freebsd.org, Brett Glass <brett@lariat.net>
Subject:   Re: FreeBSD 7.1 and BIND exploit
Message-ID:  <Pine.OSX.4.64.0807211828401.7101@hotlap.local>
In-Reply-To: <20080721202418.7CF9B4500E@ptavv.es.net>
References:  <20080721202418.7CF9B4500E@ptavv.es.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 21 Jul 2008, Kevin Oberman wrote:

>> From: Max Laier <max@love2party.net>
>> Date: Mon, 21 Jul 2008 21:38:46 +0200
>> Sender: owner-freebsd-stable@freebsd.org
>>
>> On Monday 21 July 2008 21:14:22 Doug Barton wrote:
>>> Brett Glass wrote:
>>> | Everyone:
>>> |
>>> | Will FreeBSD 7.1 be released in time to use it as an upgrade to
>>> | close the BIND cache poisoning hole?
>>>
>>> Brett, et al,
>>>
>>> I'll make this simple for you. If you have a server that is running
>>> BIND, update BIND now. If you need to use the ports, that's fine, just
>>> do it now. Make sure that you are not specifying a port via any
>>> query-source* options in named.conf, and that any firewall between
>>> your named process and the outside world does keep-state on outgoing
>>> UDP packets.
>>
>> ... and that any NAT device employs at least a somewhat random port
>> allocation mechanism - pf provides this.
>
> And, if you are not sure how good a job it does (and I am not), you
> should use the OARC test to check how well it works:
> dig +short porttest.dns-oarc.net TXT
>
> If the result is not "GOOD", it's not good enough.

I was playing around with this a bit.  It seems like a patched server will 
give a standard deviation of more than 18,000.  If I make some queries 
behind a one-to-many NAT using pf, it falls to somewhere around 6,000 
(with a patched BIND - unpatched is pitiful).

PF is not *adding* any randomness to unpatched servers.  Since it has a 
(non-configurable?) range of ports it will grab when doing outbound NAT, 
the results are not as good as with no NAT intervention, but passable I 
suppose.

Of course in a 1:1 NAT setup it is transparent.

Charles

> You can test a remote server by adding "@remote-server" to the dig
> command. The server may be specified by name or IP address.
>
> Don't forget that ANY server that caches data, including an end system
> running a caching only server is vulnerable.
> -- 
> R. Kevin Oberman, Network Engineer
> Energy Sciences Network (ESnet)
> Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
> E-mail: oberman@es.net			Phone: +1 510 486-8634
> Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSX.4.64.0807211828401.7101>