David Carmean wrote: > I seem to have lost a message where somebody from ISC (Paul?) was going to > release an updated/new advisory regarding the source-port de-randomizing > effects of many NAT implementations will have upon patched servers. I don't know what Paul (or whoever) was going to say, but I'll say the following:
If I can get your nameserver to resolve a specific query (consider, as Evan said earlier, an e-mail with a link in it that someone in your organization might click on), and that query is from a device that shows up on the Internet as a resolver with non-random source ports, I may very well be able to poison your cache. Consider that there are other ways to force "internal" servers to do predictable outbound queries (think about the SMTP protocol for a moment)... Randomize the port numbers. Please. AlanC
