Hello Shorewall users, I'm sure you all know about the big DNS vulnerability that was recently announced, where the fix involves randomized source ports for DNS requests (http://www.doxpara.com/).
In Shorewall, do any configuration changes need to be made in order to enable this new behaviour? The official document at http://www.isc.org/sw/bind/bind-security.php mentions: "DNS administrators who operate these servers behind port-restricted firewalls are encouraged to review their firewall policies to allow this protocol-compliant behavior. Restricting the possible use of various UDP ports, for instance at the firewalls, in outgoing queries and the corresponding replies will result in decreased security for the DNS service." This seems relevant since the "test your DNS" tool at Doxpara.com says I'm still vulnerable, even though I've updated to the updated 9.5.0-P1 BIND version and restarted the process. I'm using Shorewall 4.0.11. My DNS-related entries in the Rules file are: DNS/ACCEPT $FW net DNS/ACCEPT loc $FW Many thanks, Walter Wiegmann ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
