nanog mailing list archives
Re: SANS: DNS Bug Now Public?
From: Jasper Bryant-Greene <jasper () unleash co nz>
Date: Thu, 24 Jul 2008 08:53:27 +1200
FWIW, anyone using iptables for NAT can use --random, e.g.: iptables -t nat -A POSTROUTING -o ethX -j SNAT --to x.x.x.x --random Useful for Linux NAT/load-balancer boxes, or for Linux-powered embedded devices where the vendor has not been forthcoming with a firmware patch to alter the rules they generate. I believe this requires kernel >= 2.6.21. -Jasper On Wed, 2008-07-23 at 12:16 -0700, Darren Bolding wrote:
After a bit of looking around, I have not been able to find a list of firewalls/versions which are known to provide appropriate randomness in their PAT algorithms (or more importantly, those that do not). I would be very interested in such a list if anyone knows of one. As a side note, most people here realize this but, while people mention firewalls, keep in mind that if a load-balancer or other device is your egress PAT device, you might be interested in checking those systems port-translation randomness as well. --D On Wed, Jul 23, 2008 at 10:11 AM, Joe Abley <jabley () ca afilias info> wrote:On 23 Jul 2008, at 12:16, Jorge Amodio wrote: Let me add that folks need to understand that the "patch" is not a fix to aproblem that has been there for long time and it is just a workaround to reduce the chances for a potential attack, and it must be combined with best practices and recommendations to implent a more robust DNS setup.Having just seen some enterprise types spend time patching their nameservers, it's also perhaps worth spelling out that "patch" in this case might require more than upgrading resolver code -- it could also involve reconfigurations, upgrades or replacements of NAT boxes too. If your NAT reassigns source ports in a predictable fashion, then no amount of BIND9 patching is going to help. (Reconfiguring your internal resolvers to forward queries to an external, patched resolver which can see the world other than through NAT-coloured glasses may also be a way out.) Joe
Current thread:
- SANS: DNS Bug Now Public? Jon Kibler (Jul 22)
- Re: SANS: DNS Bug Now Public? Christian Koch (Jul 22)
- Re: SANS: DNS Bug Now Public? Jorge Amodio (Jul 22)
- Re: SANS: DNS Bug Now Public? Steven M. Bellovin (Jul 23)
- Re: SANS: DNS Bug Now Public? Jorge Amodio (Jul 23)
- Re: SANS: DNS Bug Now Public? Joe Abley (Jul 23)
- Re: SANS: DNS Bug Now Public? Darren Bolding (Jul 23)
- Re: SANS: DNS Bug Now Public? Jasper Bryant-Greene (Jul 23)
- Re: SANS: DNS Bug Now Public? Phil Regnauld (Jul 24)
- Re: SANS: DNS Bug Now Public? Paul Vixie (Jul 24)
- Re: SANS: DNS Bug Now Public? Steven M. Bellovin (Jul 23)