[pfSense-discussion] DNS resolver test
http://www.provos.org/index.php?/pages/dnstest.html DNS Resolver Test For secure name resolution, it is important that your DNS resolver uses random source ports. The box below will tell you if there is something you need to worry about. Your DNS Resolver needs to be updated. If the box says that you are using random ports, there is nothing to worry about. If it shows a red border, your resolver does not use completely random source ports. This could imply a security problem; see the following CERT advisory. However, some resolvers have implemented countermeasures that do not solely rely on random source sources. There is a little bit more information about this security problem on Dan Kaminsky's blog. Should be we getting worried now? -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: [pfSense-discussion] DNS resolver test
On Tue, Jul 22, 2008 at 2:32 PM, Eugen Leitl <[EMAIL PROTECTED]> wrote: > > http://www.provos.org/index.php?/pages/dnstest.html > > DNS Resolver Test > > For secure name resolution, it is important that your DNS resolver uses > random source ports. The box below will tell you if there is something you > need to worry about. > > Your DNS Resolver needs to be updated. > > If the box says that you are using random ports, there is nothing to worry > about. If it shows a red border, your resolver does not use completely random > source ports. This could imply a security problem; see the following CERT > advisory. However, some resolvers have implemented countermeasures that do > not solely rely on random source sources. > > There is a little bit more information about this security problem on Dan > Kaminsky's blog. > > Should be we getting worried now? If anyone is worried then update their dnsmasq. http://blog.pfsense.org/?p=210 Scott
[pfSense-discussion] obfuscated TCP; BTNS
I'm highly clueless about *BSD matters, does anyone know of ongoing projects to make either http://code.google.com/p/obstcp/ or BTNS (IETF draft) happen on FreeBSD, so that pfSense can ultimatively profit from it? (In regards to BTNS, I've been told that connection latching has been in Solaris for years, and BTNS core can be implemented with IKE daemons accepting wildcard as name for certs). Thanks.
Re: [pfSense-discussion] obfuscated TCP; BTNS
On Tue, Jul 22, 2008 at 8:45 PM, Eugen Leitl <[EMAIL PROTECTED]> wrote: > > I'm highly clueless about *BSD matters, does anyone know > of ongoing projects to make either http://code.google.com/p/obstcp/ > or BTNS (IETF draft) happen on FreeBSD, so that pfSense > can ultimatively profit from it? > > (In regards to BTNS, I've been told that connection latching has > been in Solaris for years, and BTNS core can be implemented with > IKE daemons accepting wildcard as name for certs). > > Thanks. > It is still a draft and i know there have been long before this applications that did this with raw sockets. It seem just not secure and adds complexity but will see where it ends. -- Ermal
Re: [pfSense-discussion] DNS resolver test
On Tue, Jul 22, 2008 at 2:32 PM, Eugen Leitl <[EMAIL PROTECTED]> wrote: > > http://www.provos.org/index.php?/pages/dnstest.html > > DNS Resolver Test > > For secure name resolution, it is important that your DNS resolver uses > random source ports. The box below will tell you if there is something you > need to worry about. > > Your DNS Resolver needs to be updated. > I'll put a new blog post up later today with in depth info now that the cat's out of the bag on this. In short: - the dnsmasq update is good, but not related to this at all - dnsmasq doesn't issue recursive queries, so you don't have to update it. - if you're using the DNS forwarder on pfSense, whether or not you're vulnerable depends on what servers it relies on for answering queries. Unless you specify otherwise, this is your ISP. - if your recursive servers are behind pfSense doing NAT with a default NAT configuration, you're fine even *without* patching your DNS servers. Note this is only true if pfSense is the *only* thing doing NAT - see thread yesterday on one of the lists where someone who was double NATing was blaming pfSense for something that some commercial box was doing wrong when pfSense was behaving fine. - if you're using the DNS server package on pfSense, it's djbdns, and it never was vulnerable to this. What you're likely seeing above (though you've left out details) is your ISP hasn't fixed their DNS servers. If your ISP is still vulnerable, switch to OpenDNS and you're fine.
Re: [pfSense-discussion] DNS resolver test
On Tue, Jul 22, 2008 at 1:32 PM, Eugen Leitl <[EMAIL PROTECTED]> wrote: > > http://www.provos.org/index.php?/pages/dnstest.html > > DNS Resolver Test > > For secure name resolution, it is important that your DNS resolver uses > random source ports. The box below will tell you if there is something you > need to worry about. > > Your DNS Resolver needs to be updated. > > If the box says that you are using random ports, there is nothing to worry > about. If it shows a red border, your resolver does not use completely random > source ports. This could imply a security problem; see the following CERT > advisory. However, some resolvers have implemented countermeasures that do > not solely rely on random source sources. > > There is a little bit more information about this security problem on Dan > Kaminsky's blog. > > Should be we getting worried now? You probably should be. I have nothing to worry about according to that page. Your DNS Resolver uses random ports. This is an unpatched BIND caching name server (that is certainly NOT using random ports) sitting behind a pfSense box. However, the checker at doxpara.com, absolutely DOES show the issue. From what I understand, it's not necessarily an issue that pfSense can solve for you as it's keeping quasi state on the UDP traffic for the queries and they'll have the same tuple multiple times within the state timeout so all the queries will match the first state. --Bill
Re: [pfSense-discussion] DNS resolver test
On Tue, Jul 22, 2008 at 4:48 PM, Chris Buechler <[EMAIL PROTECTED]> wrote: > > - if your recursive servers are behind pfSense doing NAT with a > default NAT configuration, you're fine even *without* patching your > DNS servers. Scratch that part depending on your DNS server - if it uses a single static source port for all queries like I've confirmed in BIND and Windows Server 2003 DNS (both unpatched), no rewriting is going to help. The quad tuple (source and dest IP and port) used to maintain UDP state in pf won't change for any given single external server - so while it *will* rewrite the source port to something random, that same state will be used for subsequent queries so all the traffic to that one particular server will always appear from the same source port. But at least unlike Cisco, Checkpoint, and many others, pf and pfSense won't degrade your patched DNS server to leave you vulnerable. Blog post with recommendations depending on your DNS setup forthcoming.
Re: [pfSense-discussion] DNS resolver test
I encourage everyone to read this post and ensure they are protected. http://blog.pfsense.org/?p=220 In short: there is nothing to update on pfSense itself, however you may wish to make some configuration changes as detailed in the post.