Re: [Fwd: cvs commit: ports/dns/bind9 Makefile distinfo ports/dns/bind94 Makefile distinfo ports/dns/bind95 Makefile distinfo]

On Fri, Jul 11, 2008 at 11:56:53AM -0400, Alan Clegg wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeremy Chadwick wrote:
On Fri, Jul 11, 2008 at 08:54:48AM -0600, Brett Glass wrote:
Is there a way to restrict the ports which BIND selects -- perhaps
at the expense of a small amount of entropy -- such that it doesn't
try to use UDP ports which are administratively blocked (e.g. ports
used by worms, or insecure Microsoft network utilities)? We don't
dare turn these port blocks off, or naive users will fall prey to
security holes in Microsoft products. But if BIND doesn't know to
work around them, lookups will occasionally (and infuriatingly!)
fail.

query-source has an argument called "port" which will do what you want.
That option *only* affects UDP queries, however; TCP queries are always
random.

While query-source allows you to lock down to a single port, you DO NOT
WANT TO DO THIS -- if you do, you will be vulnerable to the very thing
that the patch made you immune (well, safer) from.

What Brett (and others) need to do is risk the waters with the new beta
code (9.4.3b2 and 9.5.1b1) which includes additional "fine-grained"
control for the UDP ports to be used.

Please, PLEASE, do not introduce "query-source port XX" into your
configurations.

The problem here is WRT network ACLs. The only solution is to bind BIND
to a specific IP address and permit any outbound TCP or UDP traffic +
any inbound TCP or UDP traffic to port 53. Most network administrators
I know of won't like that, as they deny all incoming *and* outgoing
traffic, then apply permit ACLs. There's no "clean" or "strict" permit
ACL, while with port XX, you can at least narrow down things UDP-wise a
bit more.

I'll add that the stock src/etc/namedb/named.conf even advocates the use
of query-source ... port 53. I'm sure this will be changed as a result
of the recent security issue.

--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Block UDP Ports?
    ... I'm using Checkpoint Firewall-1. ... reasonable that Firewall-1 would leave UDP wide open. ... > UDP ICMP port unreachable scanning: This scanning method varies from the ...
    (comp.security.firewalls)
  • UDP DoS attack in Win2k via IKE
    ... This memo should clarify the issue discovered with the UDP DOS ... Sending of UDP traffic to port 500 UDP will cause windows to ... attacked host is an IPSec gateway). ...
    (Bugtraq)
  • Re: LDAP UDP Port Problem
    ... The correct fix is to identify that the network gear is tossing out the UDP ... Then I did some portqry's on the LDAP port ... > Sending LDAP query to TCP port 389... ...
    (microsoft.public.windows.server.networking)
  • Re: Block UDP Ports?
    ... UDP scanning is questionable to many - if the port is open, ... closed ports aren't even required to send an error packet. ...
    (comp.security.firewalls)
  • Re: LDAP UDP Port Problem
    ... The correct fix is to identify that the network gear is tossing out the UDP ... Then I did some portqry's on the LDAP port ... > Sending LDAP query to TCP port 389... ...
    (microsoft.public.windows.server.setup)