From owner-freebsd-security@FreeBSD.ORG  Thu Jul 10 05:54:18 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 45601106566C
	for <freebsd-security@freebsd.org>;
	Thu, 10 Jul 2008 05:54:18 +0000 (UTC) (envelope-from silby@silby.com)
Received: from relay01.pair.com (relay01.pair.com [209.68.5.15])
	by mx1.freebsd.org (Postfix) with SMTP id F2DC08FC17
	for <freebsd-security@freebsd.org>;
	Thu, 10 Jul 2008 05:54:17 +0000 (UTC) (envelope-from silby@silby.com)
Received: (qmail 18558 invoked from network); 10 Jul 2008 05:54:16 -0000
Received: from unknown (HELO localhost) (unknown)
	by unknown with SMTP; 10 Jul 2008 05:54:16 -0000
X-pair-Authenticated: 209.68.2.70
Date: Thu, 10 Jul 2008 00:54:14 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Tim Clewlow <tim@clewlow.org>
In-Reply-To: <53413.192.168.1.10.1215667980.squirrel@192.168.1.100>
Message-ID: <20080710004835.S5394@odysseus.silby.com>
References: <C4990135.1A0907%astorms@ncircle.com>   
	<200807091054.m69As4eH065391@lurza.secnetix.de>
	<200807091209.m69C9Gsl030319@lava.sentex.ca>
	<20080709233650.B3813@odysseus.silby.com>
	<53413.192.168.1.10.1215667980.squirrel@192.168.1.100>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-security@freebsd.org, Oliver Fromme <olli@lurza.secnetix.de>
Subject: Re: BIND update?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jul 2008 05:54:18 -0000


On Thu, 10 Jul 2008, Tim Clewlow wrote:

>> Can you make a pf rule that NATs all outgoing udp queries from BIND
>> with
>> random source ports?  That seems like it would have exactly the same
>> effect as BIND randomizing the source ports itself.
>
> Assuming this is NOT a gateway, ie a single homed DNS.
>
> This has not been tested, and may not work, but anyway, how about:
>
> nic="network interface name"
> bind_port="source port number you have set bind to ALWAYS use"
> nat on $nic from any port $bind_port to any -> ($nic)
>
> This _should_ do a special nat of both udp and tcp traffic, ie keep
> the same source IP but randomly pick a new source port.
>
> I haven't had time to set up a jail/test DNS to try this on, maybe
> it wont work at all, but that should give you an idea.
>
> Cheers, Tim.

Yes, using pf's NAT seems to work, although doxpara's checker claims that 
it is not working.

Here's what tcpdump on the external side of NAT shows me after I nat port 
53 traffic:

06:05:56.469558 IP SILBYIP.60153 > 209.85.139.9.53:  9078% [1au] A? www.l.google.com. (45)
06:05:56.535407 IP 209.85.139.9.53 > SILBYIP.60153:  9078*- 3/0/0 A 64.233.167.99,[|domain]
06:06:03.767643 IP SILBYIP.59956 > 216.239.36.10.53:  21333% [1au] A? news.google.com. (44)
06:06:03.817520 IP 216.239.36.10.53 > SILBYIP.59956:  21333*- 1/7/8 CNAME news.l.google.com. (289)
06:06:03.818565 IP SILBYIP.55784 > 64.233.167.9.53:  61468% [1au] A? news.l.google.com. (46)
06:06:03.840510 IP 64.233.167.9.53 > SILBYIP.55784:  61468*- 2/0/0 A 72.14.207.104, (67)
06:06:16.830837 IP SILBYIP.59956 > 216.239.36.10.53:  59557% [1au] A? maps.google.com. (44)
06:06:16.880945 IP 216.239.36.10.53 > SILBYIP.59956:  59557*- 1/7/8 CNAME maps.l.google.com. (289)
06:06:16.881988 IP SILBYIP.63680 > 209.85.137.9.53:  11160% [1au] A? maps.l.google.com. (46)
06:06:17.025439 IP 209.85.137.9.53 > SILBYIP.63680:  11160*- 3/0/0 A 64.233.167.104,[|domain]

As you can see, we get a different source port for each server that we 
connect to.  I would assume that makes us secure.

But the checker at doxpara doesn't think we're secure because it's just 
one server that we're connecting to repeatedly.

06:06:45.127850 IP SILBYIP.57575 > 209.200.168.66.53:  38156% [1au] A? 46e004a4f29d.toorrr.com. (52)
06:06:45.238227 IP 209.200.168.66.53 > SILBYIP.57575:  38156*- 1/0/0 CNAME[|domain]
06:06:45.239020 IP SILBYIP.57575 > 209.200.168.66.53:  11461% [1au][|domain]
06:06:45.351066 IP 209.200.168.66.53 > SILBYIP.57575:  11461*-[|domain]
06:06:45.351836 IP SILBYIP.57575 > 209.200.168.66.53:  57564% [1au][|domain]
06:06:45.466886 IP 209.200.168.66.53 > SILBYIP.57575:  57564*-[|domain]
06:06:45.467658 IP SILBYIP.57575 > 209.200.168.66.53:  31106% [1au][|domain]
06:06:45.580640 IP 209.200.168.66.53 > SILBYIP.57575:  31106*-[|domain]
06:06:45.581619 IP SILBYIP.57575 > 209.200.168.66.53:  4662% [1au][|domain]
06:06:45.692804 IP 209.200.168.66.53 > SILBYIP.57575:  4662*-[|domain]

So there we go, we saved the internet with NAT. :)

-Mike