Re: SANS: DNS Bug Now Public?

["Darren Bolding" <darren () bolding org>]

After a bit of looking around, I have not been able to find a list of
firewalls/versions which are known to provide appropriate randomness in
their PAT algorithms (or more importantly, those that do not).

I would be very interested in such a list if anyone knows of one.

As a side note, most people here realize this but, while people mention
firewalls, keep in mind that if a load-balancer or other device is your
egress PAT device, you might be interested in checking those systems
port-translation randomness as well.

--D

On Wed, Jul 23, 2008 at 10:11 AM, Joe Abley <jabley () ca afilias info> wrote:

> On 23 Jul 2008, at 12:16, Jorge Amodio wrote:
>
> Let me add that folks need to understand that the "patch" is not a fix to a
> > problem that has been there for long time and
> > it is just a workaround to reduce the chances for a potential
> > attack, and it must be combined with best practices and
> > recommendations to implent a more robust DNS setup.
>
> Having just seen some enterprise types spend time patching their
> nameservers, it's also perhaps worth spelling out that "patch" in this case
> might require more than upgrading resolver code -- it could also involve
> reconfigurations, upgrades or replacements of NAT boxes too. If your NAT
> reassigns source ports in a predictable fashion, then no amount of BIND9
> patching is going to help.
>
> (Reconfiguring your internal resolvers to forward queries to an external,
> patched resolver which can see the world other than through NAT-coloured
> glasses may also be a way out.)
>
>
> Joe


-- 
-- Darren Bolding --
-- darren () bolding org --