[106139] in North American Network Operators' Group
Re: SANS: DNS Bug Now Public?
daemon@ATHENA.MIT.EDU (Darren Bolding)
Wed Jul 23 15:17:11 2008
Date: Wed, 23 Jul 2008 12:16:41 -0700
From: "Darren Bolding" <darren@bolding.org>
To: "Joe Abley" <jabley@ca.afilias.info>
In-Reply-To: <2A44845F-4D1F-47A8-B6F7-09B50C65C8B4@ca.afilias.info>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
After a bit of looking around, I have not been able to find a list of
firewalls/versions which are known to provide appropriate randomness in
their PAT algorithms (or more importantly, those that do not).
I would be very interested in such a list if anyone knows of one.
As a side note, most people here realize this but, while people mention
firewalls, keep in mind that if a load-balancer or other device is your
egress PAT device, you might be interested in checking those systems
port-translation randomness as well.
--D
On Wed, Jul 23, 2008 at 10:11 AM, Joe Abley <jabley@ca.afilias.info> wrote:
>
> On 23 Jul 2008, at 12:16, Jorge Amodio wrote:
>
> Let me add that folks need to understand that the "patch" is not a fix to a
>> problem that has been there for long time and
>> it is just a workaround to reduce the chances for a potential
>> attack, and it must be combined with best practices and
>> recommendations to implent a more robust DNS setup.
>>
>
> Having just seen some enterprise types spend time patching their
> nameservers, it's also perhaps worth spelling out that "patch" in this case
> might require more than upgrading resolver code -- it could also involve
> reconfigurations, upgrades or replacements of NAT boxes too. If your NAT
> reassigns source ports in a predictable fashion, then no amount of BIND9
> patching is going to help.
>
> (Reconfiguring your internal resolvers to forward queries to an external,
> patched resolver which can see the world other than through NAT-coloured
> glasses may also be a way out.)
>
>
> Joe
>
>
>
--
-- Darren Bolding --
-- darren@bolding.org --
