From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 05:48:38 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC5AC1065681 for ; Thu, 10 Jul 2008 05:48:38 +0000 (UTC) (envelope-from tim@clewlow.org) Received: from clewlow.org (clewlow.org [210.215.149.194]) by mx1.freebsd.org (Postfix) with ESMTP id 7E1708FC15 for ; Thu, 10 Jul 2008 05:48:38 +0000 (UTC) (envelope-from tim@clewlow.org) Received: from 192.168.1.100 (localhost [127.0.0.1]) by clewlow.org (Postfix) with ESMTP id E28B81C0844; Thu, 10 Jul 2008 15:32:59 +1000 (EST) Received: from 192.168.1.10 (SquirrelMail authenticated user tim) by 192.168.1.100 with HTTP; Thu, 10 Jul 2008 15:33:00 +1000 (EST) Message-ID: <53413.192.168.1.10.1215667980.squirrel@192.168.1.100> In-Reply-To: <20080709233650.B3813@odysseus.silby.com> References: <200807091054.m69As4eH065391@lurza.secnetix.de> <200807091209.m69C9Gsl030319@lava.sentex.ca> <20080709233650.B3813@odysseus.silby.com> Date: Thu, 10 Jul 2008 15:33:00 +1000 (EST) From: "Tim Clewlow" To: "Mike Silbersack" User-Agent: SquirrelMail/1.4.13 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-security@freebsd.org, Oliver Fromme Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 05:48:39 -0000 > > On Wed, 9 Jul 2008, Mike Tancsa wrote: > >> At 06:54 AM 7/9/2008, Oliver Fromme wrote: >>> Andrew Storms wrote: >>> > http://www.isc.org/index.pl?/sw/bind/bind-security.php >>> >>> I'm just wondering ... >>> >>> ISC's patches cause source ports to be randomized, thus >>> making it more difficult to spoof response packets. >>> >>> But doesn't FreeBSD already randomize source ports by >>> default? So, do FreeBSD systems require to be patched >>> at all? >> >> It doesnt seem to do a very good job of it with bind for some >> reason... >> Perhaps because it picks a port and reuses it ? > > Yep, binding to a single query port and sticking to it is how BIND > has > operated for years. > > I just came up with a crazy idea, perhaps someone with more pf > knowledge > could answer this question: > > Can you make a pf rule that NATs all outgoing udp queries from BIND > with > random source ports? That seems like it would have exactly the same > effect as BIND randomizing the source ports itself. > > Granted, updating BIND would probably be the better choice long > term, but > perhaps it'd be easier to push a new firewall rule out to a rack of > machines. > Assuming this is NOT a gateway, ie a single homed DNS. This has not been tested, and may not work, but anyway, how about: nic="network interface name" bind_port="source port number you have set bind to ALWAYS use" nat on $nic from any port $bind_port to any -> ($nic) This _should_ do a special nat of both udp and tcp traffic, ie keep the same source IP but randomly pick a new source port. I haven't had time to set up a jail/test DNS to try this on, maybe it wont work at all, but that should give you an idea. Cheers, Tim. We are BSD ... resistance is futile. http://www.freebsd.org/ - http://www.openbsd.org/ - http://www.netbsd.org/