On 28.07.11 15:33, Pete Fong wrote:
My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for
DNS server. I have installed bind-9.7.3P3-0.2.1
Our external auditor used "NeXpose" for scanning my system. It showed
"Insufficient DNS Source Port Randomization Vulnerability".
The insufficient randomization was afaik fixed in 9.5.0.
Therefore
I have followed BIND 9 Configuration Reference Guide, I have adjusted
named.conf configuration file as below :
query-source address * port * ;
query-source-v6 address * port *;
use-v4-udp-ports { range 1024 65535; };
use-v6-upd-ports ( range 1024 65535; };
Did you have these before? I think that BIND tries those ports by
default, so configuring them should not affect it.
But I am not lucky, The NeXpose software still showed the same
vulnerability. Anybody has some issue ? Anybody can help me ?
Is your resolving server behind firewall? Does the firewall change
source port?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
