Date: Wed, 9 Jul 2008 23:41:54 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Mike Tancsa <mike@sentex.net> Cc: freebsd-security@freebsd.org, Oliver Fromme <olli@lurza.secnetix.de> Subject: Re: BIND update? Message-ID: <20080709233650.B3813@odysseus.silby.com> In-Reply-To: <200807091209.m69C9Gsl030319@lava.sentex.ca> References: <C4990135.1A0907%astorms@ncircle.com> <200807091054.m69As4eH065391@lurza.secnetix.de> <200807091209.m69C9Gsl030319@lava.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 9 Jul 2008, Mike Tancsa wrote: > At 06:54 AM 7/9/2008, Oliver Fromme wrote: >> Andrew Storms wrote: >> > http://www.isc.org/index.pl?/sw/bind/bind-security.php >> >> I'm just wondering ... >> >> ISC's patches cause source ports to be randomized, thus >> making it more difficult to spoof response packets. >> >> But doesn't FreeBSD already randomize source ports by >> default? So, do FreeBSD systems require to be patched >> at all? > > It doesnt seem to do a very good job of it with bind for some reason... > Perhaps because it picks a port and reuses it ? Yep, binding to a single query port and sticking to it is how BIND has operated for years. I just came up with a crazy idea, perhaps someone with more pf knowledge could answer this question: Can you make a pf rule that NATs all outgoing udp queries from BIND with random source ports? That seems like it would have exactly the same effect as BIND randomizing the source ports itself. Granted, updating BIND would probably be the better choice long term, but perhaps it'd be easier to push a new firewall rule out to a rack of machines. Mike "Silby" Silbersack
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080709233650.B3813>