Anthony Roberts wrote:
I don't think this actually accomplishes much. It still lets poisoned
replies back in on the previous port number.
hm... I don't think it does. BIND would, but it's going through PF.
Without an additional rule to pass in to user named, the UDP reply has to
be to the
I don't think this actually accomplishes much. It still lets poisoned
replies back in on the previous port number.
hm... I don't think it does. BIND would, but it's going through PF.
Without an additional rule to pass in to user named, the UDP reply has to
be to the new NATed port. That's the
On 2008-07-09, mark reardon [EMAIL PROTECTED] wrote:
doxpara.com reports no issues with unbound FWIW.
right, unbound already randomises the source port (arc4random
from guess where) and also the source address if you list more
than one (assign aliases to the interfaces, and list all of
the IP
* Stuart Henderson [EMAIL PROTECTED] [080709 07:15]:
mcbride@ pointed out that you can give named some more protection
by natting outbound udp traffic destined for port 53 (even just on
the box running the resolver, it doesn't have to be on a firewall
in front). something like,
nat on
Hi.
I guess OpenBSDs named is affected by the actual issue:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113
So I hope a patch is in progress ?
Or is OpenBSD not affected by this issue?
So long,
Andreas.
--
Windows 95: A 32-bit patch for a
On Wed, 9 Jul 2008 11:10:09 +0200, Andreas Maus wrote:
Hi.
I guess OpenBSDs named is affected by the actual issue:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113
So I hope a patch is in progress ?
Or is OpenBSD not affected by this issue?
So
Hi Andreas,
Aren't you dumping on the wrong interface here?
Should it not be your $ext_if where the alleged poisoning will come from?
2008/7/9 Rod Whitworth [EMAIL PROTECTED]:
On Wed, 9 Jul 2008 11:10:09 +0200, Andreas Maus wrote:
Hi.
I guess OpenBSDs named is affected by the actual
On Wed, Jul 09, 2008 at 11:19:24AM +0100, mark reardon wrote:
Hi Andreas,
Aren't you dumping on the wrong interface here?
Should it not be your $ext_if where the alleged poisoning will come from?
Hi Mark.
Excuse me? The tcpdump was provided by Rod Whitworth
[EMAIL PROTECTED].
So long,
On Jul 9, 2008, at 4:53 AM, Rod Whitworth wrote:
# tcpdump -nettti rl0 dst port 53
tcpdump: listening on rl0, link-type EN10MB
Jul 09 19:48:27.786683 00:01:80:0f:2b:94 00:00:24:c6:18:85 0800 70:
192.168.80.4.16284 192.168.80.1.53: 57120+ A? pps.com.au. (28)
Jul 09 19:48:43.690332
On 2008-07-09, Steve Tornio [EMAIL PROTECTED] wrote:
I get a different result using the external interface of my caching
name server, and mine looks vulnerable.
named is. the stub resolver isn't.
mcbride@ pointed out that you can give named some more protection
by natting outbound udp
On 7/9/2008 at 5:58 AM Steve Tornio wrote:
|On Jul 9, 2008, at 4:53 AM, Rod Whitworth wrote:
|
|
| # tcpdump -nettti rl0 dst port 53
| tcpdump: listening on rl0, link-type EN10MB
| Jul 09 19:48:27.786683 00:01:80:0f:2b:94 00:00:24:c6:18:85 0800 70:
| 192.168.80.4.16284 192.168.80.1.53: 57120+ A?
doxpara.com reports no issues with unbound FWIW.
Thanks to Stuart for this suggestion during the previous DJBware for ports
thread.
2008/7/9 Stuart Henderson [EMAIL PROTECTED]:
On 2008-07-09, Steve Tornio [EMAIL PROTECTED] wrote:
I get a different result using the external interface of my
On 2008-07-09, Stuart Henderson [EMAIL PROTECTED] wrote:
nat on egress proto udp from (self) to any port 53 - (self)
thanks to those who pointed out (self) includes 127.0.0.1, so you
don't want to use - (self), rather use - (egress).
e.g. nat on egress proto udp from (self) to any port 53 -
On 7/9/08, Stuart Henderson [EMAIL PROTECTED] wrote:
mcbride@ pointed out that you can give named some more protection
by natting outbound udp traffic destined for port 53 (even just on
the box running the resolver, it doesn't have to be on a firewall
in front). something like,
nat on
On Jul 9, 2008, at 12:19 PM, Ted Unangst wrote:
n front). something like,
nat on egress proto udp from (self) to any port 53 - (self)
I don't think this actually accomplishes much. It still lets poisoned
replies back in on the previous port number.
But does it allow a poisoned reply from
On 7/9/08, Steve Tornio [EMAIL PROTECTED] wrote:
I don't think this actually accomplishes much. It still lets poisoned
replies back in on the previous port number.
But does it allow a poisoned reply from the spoofed address?
oh, right. I think I forgot even UDP packets have IP
] [mailto:[EMAIL PROTECTED]
Im Auftrag von Ted Unangst
Gesendet: Mittwoch, 9. Juli 2008 20:10
An: Steve Tornio
Cc: misc
Betreff: Re: Actual BIND error - Patching OpenBSD 4.3 named ?
On 7/9/08, Steve Tornio [EMAIL PROTECTED] wrote:
I don't think this actually accomplishes much. It still
17 matches
Mail list logo