Re: BIND update?

On Wed, 9 Jul 2008, Mike Tancsa wrote:

At 06:54 AM 7/9/2008, Oliver Fromme wrote:
Andrew Storms wrote:

I'm just wondering ...

ISC's patches cause source ports to be randomized, thus
making it more difficult to spoof response packets.

But doesn't FreeBSD already randomize source ports by
default? So, do FreeBSD systems require to be patched
at all?

It doesnt seem to do a very good job of it with bind for some reason... Perhaps because it picks a port and reuses it ?

Yep, binding to a single query port and sticking to it is how BIND has operated for years.

I just came up with a crazy idea, perhaps someone with more pf knowledge could answer this question:

Can you make a pf rule that NATs all outgoing udp queries from BIND with random source ports? That seems like it would have exactly the same effect as BIND randomizing the source ports itself.

Granted, updating BIND would probably be the better choice long term, but perhaps it'd be easier to push a new firewall rule out to a rack of machines.

Mike "Silby" Silbersack
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"