On Tue, Jul 22, 2008 at 4:48 PM, Chris Buechler <[EMAIL PROTECTED]> wrote: > > - if your recursive servers are behind pfSense doing NAT with a > default NAT configuration, you're fine even *without* patching your > DNS servers.
Scratch that part depending on your DNS server - if it uses a single static source port for all queries like I've confirmed in BIND and Windows Server 2003 DNS (both unpatched), no rewriting is going to help. The quad tuple (source and dest IP and port) used to maintain UDP state in pf won't change for any given single external server - so while it *will* rewrite the source port to something random, that same state will be used for subsequent queries so all the traffic to that one particular server will always appear from the same source port. But at least unlike Cisco, Checkpoint, and many others, pf and pfSense won't degrade your patched DNS server to leave you vulnerable. Blog post with recommendations depending on your DNS setup forthcoming.
