From owner-freebsd-stable@FreeBSD.ORG Tue Jul 22 05:07:15 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C17C31065677 for ; Tue, 22 Jul 2008 05:07:15 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 5C0308FC16 for ; Tue, 22 Jul 2008 05:07:15 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-048-174.pools.arcor-ip.net [88.66.48.174]) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis) id 0ML29c-1KLA5h2ySD-0000sF; Tue, 22 Jul 2008 07:07:14 +0200 Received: (qmail 66181 invoked from network); 22 Jul 2008 05:07:12 -0000 Received: from myhost.laiers.local (192.168.4.151) by ns1.laiers.local with SMTP; 22 Jul 2008 05:07:12 -0000 From: Max Laier Organization: FreeBSD To: Charles Sprickman Date: Tue, 22 Jul 2008 07:07:11 +0200 User-Agent: KMail/1.9.9 References: <20080721202418.7CF9B4500E@ptavv.es.net> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200807220707.11870.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19shxzaLZm6mqMtv4XCegBLzQYipsV8QoSAdn9 b8iraH4fXFIXKm1D+MF3fCm8YIkjQT+G61Rdgi9XBB0qJ5jdoa /Otqd2xv4znNSNx7ZH+AQ== Cc: Brett Glass , Doug Barton , freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2008 05:07:15 -0000 On Tuesday 22 July 2008 00:31:53 Charles Sprickman wrote: > On Mon, 21 Jul 2008, Kevin Oberman wrote: > >> From: Max Laier > >> Date: Mon, 21 Jul 2008 21:38:46 +0200 > >> Sender: owner-freebsd-stable@freebsd.org > >> > >> On Monday 21 July 2008 21:14:22 Doug Barton wrote: > >>> Brett Glass wrote: > >>> | Everyone: > >>> | > >>> | Will FreeBSD 7.1 be released in time to use it as an upgrade to > >>> | close the BIND cache poisoning hole? > >>> > >>> Brett, et al, > >>> > >>> I'll make this simple for you. If you have a server that is running > >>> BIND, update BIND now. If you need to use the ports, that's fine, > >>> just do it now. Make sure that you are not specifying a port via > >>> any query-source* options in named.conf, and that any firewall > >>> between your named process and the outside world does keep-state on > >>> outgoing UDP packets. > >> > >> ... and that any NAT device employs at least a somewhat random port > >> allocation mechanism - pf provides this. > > > > And, if you are not sure how good a job it does (and I am not), you > > should use the OARC test to check how well it works: > > dig +short porttest.dns-oarc.net TXT > > > > If the result is not "GOOD", it's not good enough. > > I was playing around with this a bit. It seems like a patched server > will give a standard deviation of more than 18,000. If I make some > queries behind a one-to-many NAT using pf, it falls to somewhere around > 6,000 (with a patched BIND - unpatched is pitiful). While the standard deviation gives some *indication* about the randomness of the selection it is no real measurement for its quality. > PF is not *adding* any randomness to unpatched servers. Since it has a > (non-configurable?) range of ports it will grab when doing outbound > NAT, the results are not as good as with no NAT intervention, but > passable I suppose. You can configure the range on a per-NAT-rule basis, e.g.: nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if) port 1024:65535 but you have to take care so that you don't collide with the ephemeral port range of the host itself. Obviously you can't do much about an unpatched bind as with UDP there is no notion of "connection" so pf (or any NAT device for that matter) has to keep the NAT binding open for "some time" and a quick sequence of queries to the same server will be sent out through the same port. So putting a NAT firewall in front of a DNS resolver is *NOT* a workaround! > Of course in a 1:1 NAT setup it is transparent. > > Charles > > > You can test a remote server by adding "@remote-server" to the dig > > command. The server may be specified by name or IP address. > > > > Don't forget that ANY server that caches data, including an end > > system running a caching only server is vulnerable. > > -- > > R. Kevin Oberman, Network Engineer > > Energy Sciences Network (ESnet) > > Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) > > E-mail: oberman@es.net Phone: +1 510 486-8634 > > Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News