On Mon, Jul 21, 2008 at 6:54 PM, Beat Siegenthaler <[EMAIL PROTECTED]> wrote: > Beat Siegenthaler wrote: > > > >> >> And I think it is not really a big problem as long the transaction ID's >> are really good random. >> > > > Curiosity killed the Cat: > > done a dump on pfSense at the dmz-side. It looks that the source ports from > BIND are very good in random. But at the wan-side, the ports are just > ascending more or less. What about the mentioned UDP timeout? > I try to check out another time what the openwrt, exactly X-WRT (it's not > dd-wrt like mentioned before) guys do better in this case ... >
I just confirmed what I said previously, unless static port is enabled the source port on DNS traffic (and all TCP and UDP traffic for that matter) is rewritten to a randomly selected port. Description of this behavior from OpenBSD developer Ryan McBride: http://seclists.org/fulldisclosure/2008/Jul/0272.html How is your outbound NAT configured? Even static port won't rewrite the source ports to something incremental, it just retains whatever the source port is. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
