Tested using those tests, out of curiosity - and we passed with flying colors. Could it be your ISPs DNS that is bad? (that pfSense is relaying?) and not pfSense directly? -Tim
-----Original Message----- From: Beat Siegenthaler [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 1:11 PM To: [email protected] Subject: Re: [pfSense Support] DNS cache poisoning Chris Buechler wrote: > No, pf has randomized source ports on all NATed TCP and UDP traffic for > 8 years. I was surprised to find out that's the exception rather than > the norm. Cisco, Checkpoint, amongst numerous others apparently do not > randomize source ports on NATed traffic. > I am not enthusiastic about this: Same Server behind pfSense and dd-wrt does differ sightly: The server runs patched [EMAIL PROTECTED] pfSense: [EMAIL PROTECTED]:~] # dig +short porttest.dns-oarc.net TXT z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "IP is POOR: 26 queries in 4.7 seconds from 26 ports with std dev 8.47" dd-wrt: [EMAIL PROTECTED]:~] # dig +short porttest.dns-oarc.net TXT z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "IP is GOOD: 26 queries in 4.6 seconds from 26 ports with std dev 17271.44" Source: https://www.dns-oarc.net/ Also the web-based test is very interesting: pfsense: source-port randomness=poor (deviation 17) transaction id randomness=great (deviation 19030) dd-wrt: source-port randomness=great (deviation 21110) transaction id randomness=great (deviation 17122) Other Test @ www.doxpara.com : Your name server, at x.y.z.y, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 5. Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds. Requests seen for e85e29497dea.toorrr.com: x.y.z.y:11970 TXID=47044 x.y.z.y:11971 TXID=62299 x.y.z.y:11972 TXID=65287 x.y.z.y:11973 TXID=13892 x.y.z.y:11975 TXID=50242 Not really a problem for me, but some may have ;-) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
