Anthony Roberts wrote: >> I don't think this actually accomplishes much. It still lets poisoned >> replies back in on the previous port number. > > hm... I don't think it does. BIND would, but it's going through PF. > Without an additional rule to pass in to user named, the UDP reply has to > be to the new NATed port. That's the only thing the state associated with > the pass out on egress rule is going to be aware of. Eg, I applied the PF > rule to one of my machines and checked, here's one of the states: > > all udp x.y.z.201:42001 -> x.y.z.201:60538 -> 68.142.196.63:53 > MULTIPLE:MULTIPLE > > I don't care that someone can forge a packet from 68.142.196.63:53 to > x.y.z.201:60538, the goal of the NAT rule in this case is to prevent the > attacker from finding out what local port I'm using with anyone else. > Without that NAT rule, everyone sees 42001. With that NAT rule, the > attacker won't discover what local port I'm using for other DNS servers > like google or yahoo or whatever. The lookup they get me to do against > their domain doesn't have the same local port as the others. > > If the local port is known, there's apparently some other attacks that can > build on that. > You can use PF to randomize the source port on a standalone DNS server, but using the loopback as your query source and a NAT rule, you will need to enable IP forwarding for this to work.: /var/named/etc/named.conf: query-source address 127.0.0.1 port *; /etc/pf.conf: nat on $ext_if from 127.0.0.0/8 to any -> $ext_if
# pfctl -s s| grep 127.0.0 all udp 127.0.0.1:44954 -> x.x.x.x:62246 -> 207.46.66.126:53 MULTIPLE:MULTIPLE all udp 127.0.0.1:44954 -> x.x.x.x:60491 -> 65.55.238.126:53 MULTIPLE:MULTIPLE all udp 127.0.0.1:44954 -> x.x.x.x:56006 -> 198.170.241.130:53 MULTIPLE:MULTIPLE all udp 127.0.0.1:44954 -> x.x.x.x:56851 -> 198.170.241.131:53 MULTIPLE:MULTIPLE all udp 127.0.0.1:44954 -> x.x.x.x:62635 -> 192.43.172.30:53 MULTIPLE:SINGLE all udp 127.0.0.1:44954 -> x.x.x.x:56918 -> 216.211.140.226:53 MULTIPLE:SINGLE all udp 127.0.0.1:44954 -> x.x.x.x:57970 -> 209.128.76.101:53 MULTIPLE:MULTIPLE all udp 127.0.0.1:44954 -> x.x.x.x:53076 -> 209.128.76.102:53 MULTIPLE:MULTIPLE Dustin Lundquist