[Gllug] DNS security problem and broadband modems
Nix
nix at esperi.org.uk
Sat Jul 26 16:07:45 UTC 2008
On 26 Jul 2008, Tethys said:
> --------
>
> Alain Williams writes:
>
>>My broadband modem has a NATting firewall on it (I also run a
>>firewall on my home server [**]), this seems to be 'undoing' the
>>port randomisation
>
> Correct. Tom Cross of XForce pointed out precisely that
> issue a couple of weeks ago. It's a common problem. No
> matter how good the random port generation used by your
> nameserver may be, it's no good if your NAT device is
> rewriting it to something distinctly non-random on the
> way out. Solution: get a better NAT provider.
Equally, if your non-vulnerable nameserver is forwarding to another one,
which *is* vulnerable, you're stuffed. e.g. Demon's nameserver:
nix at beast:~$ dig +short @127.0.0.1 porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"194.159.187.34 is POOR: 26 queries in 3.6 seconds from 24 ports with std dev 74.27"
versus bind 9.5.0-P1:
nix at hades 81 /home/nix% dig +short @127.0.0.1 porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"194.247.41.52 is GOOD: 26 queries in 5.1 seconds from 26 ports with std dev 17928.55"
Quite a difference in std-dev of source port.
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list