Re: BIND update?




On Wed, 9 Jul 2008, Mike Tancsa wrote:

At 06:54 AM 7/9/2008, Oliver Fromme wrote:
Andrew Storms wrote:
> http://www.isc.org/index.pl?/sw/bind/bind-security.php

I'm just wondering ...

ISC's patches cause source ports to be randomized, thus
making it more difficult to spoof response packets.

But doesn't FreeBSD already randomize source ports by
default? So, do FreeBSD systems require to be patched
at all?

It doesnt seem to do a very good job of it with bind for some reason... Perhaps because it picks a port and reuses it ?

Yep, binding to a single query port and sticking to it is how BIND has operated for years.

I just came up with a crazy idea, perhaps someone with more pf knowledge could answer this question:

Can you make a pf rule that NATs all outgoing udp queries from BIND with random source ports? That seems like it would have exactly the same effect as BIND randomizing the source ports itself.

Granted, updating BIND would probably be the better choice long term, but perhaps it'd be easier to push a new firewall rule out to a rack of machines.

Mike "Silby" Silbersack
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: BIND update?
    ... ISC's patches cause source ports to be randomized, ... But doesn't FreeBSD already randomize source ports by ...
    (FreeBSD-Security)
  • Re: BIND update?
    ... ISC's patches cause source ports to be randomized, ... But doesn't FreeBSD already randomize source ports by ... binding to a single query port and sticking to it is how BIND ...
    (FreeBSD-Security)
  • Re: BIND update?
    ... ISC's patches cause source ports to be randomized, ... But doesn't FreeBSD already randomize source ports by ... host 1iatest2.yahoo.co.uk ...
    (FreeBSD-Security)
  • Re: Comments re ISCs announcement on bind9 security
    ... likes to ignore the other very-usable-now mitigation of randomizing ... I don't use BIND and I don't care to check it's current ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ...
    (Bugtraq)