> > On Wed, 9 Jul 2008, Mike Tancsa wrote: > >> At 06:54 AM 7/9/2008, Oliver Fromme wrote: >>> Andrew Storms wrote: >>> > http://www.isc.org/index.pl?/sw/bind/bind-security.php >>> >>> I'm just wondering ... >>> >>> ISC's patches cause source ports to be randomized, thus >>> making it more difficult to spoof response packets. >>> >>> But doesn't FreeBSD already randomize source ports by >>> default? So, do FreeBSD systems require to be patched >>> at all? >> >> It doesnt seem to do a very good job of it with bind for some >> reason... >> Perhaps because it picks a port and reuses it ? > > Yep, binding to a single query port and sticking to it is how BIND > has > operated for years. > > I just came up with a crazy idea, perhaps someone with more pf > knowledge > could answer this question: > > Can you make a pf rule that NATs all outgoing udp queries from BIND > with > random source ports? That seems like it would have exactly the same > effect as BIND randomizing the source ports itself. > > Granted, updating BIND would probably be the better choice long > term, but > perhaps it'd be easier to push a new firewall rule out to a rack of > machines. >
Assuming this is NOT a gateway, ie a single homed DNS. This has not been tested, and may not work, but anyway, how about: nic="network interface name" bind_port="source port number you have set bind to ALWAYS use" nat on $nic from any port $bind_port to any -> ($nic) This _should_ do a special nat of both udp and tcp traffic, ie keep the same source IP but randomly pick a new source port. I haven't had time to set up a jail/test DNS to try this on, maybe it wont work at all, but that should give you an idea. Cheers, Tim. We are BSD ... resistance is futile. http://www.freebsd.org/ - http://www.openbsd.org/ - http://www.netbsd.org/ _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
