Re: Actual BIND error - Patching OpenBSD 4.3 named ?

Wed, 23 Jul 2008 13:55:03 -0700 

Anthony Roberts wrote:
>> I don't think this actually accomplishes much.  It still lets poisoned
>> replies back in on the previous port number.
> 
> hm... I don't think it does. BIND would, but it's going through PF.
> Without an additional rule to pass in to user named, the UDP reply has to
> be to the new NATed port. That's the only thing the state associated with
> the pass out on egress rule is going to be aware of. Eg, I applied the PF
> rule to one of my machines and checked, here's one of the states:
> 
> all udp x.y.z.201:42001 -> x.y.z.201:60538 -> 68.142.196.63:53
> MULTIPLE:MULTIPLE
> 
> I don't care that someone can forge a packet from 68.142.196.63:53 to
> x.y.z.201:60538, the goal of the NAT rule in this case is to prevent the
> attacker from finding out what local port I'm using with anyone else.
> Without that NAT rule, everyone sees 42001. With that NAT rule, the
> attacker won't discover what local port I'm using for other DNS servers
> like google or yahoo or whatever. The lookup they get me to do against
> their domain doesn't have the same local port as the others.
> 
> If the local port is known, there's apparently some other attacks that can
> build on that.
> 
You can use PF to randomize the source port on a standalone DNS server,
but using the loopback as your query source and a NAT rule, you will
need to enable IP forwarding for this to work.:
/var/named/etc/named.conf:
        query-source address 127.0.0.1 port *;
/etc/pf.conf:
        nat on $ext_if from 127.0.0.0/8 to any -> $ext_if

# pfctl -s s| grep 127.0.0
all udp 127.0.0.1:44954 -> x.x.x.x:62246 -> 207.46.66.126:53
MULTIPLE:MULTIPLE
all udp 127.0.0.1:44954 -> x.x.x.x:60491 -> 65.55.238.126:53
MULTIPLE:MULTIPLE
all udp 127.0.0.1:44954 -> x.x.x.x:56006 -> 198.170.241.130:53
MULTIPLE:MULTIPLE
all udp 127.0.0.1:44954 -> x.x.x.x:56851 -> 198.170.241.131:53
MULTIPLE:MULTIPLE
all udp 127.0.0.1:44954 -> x.x.x.x:62635 -> 192.43.172.30:53
MULTIPLE:SINGLE
all udp 127.0.0.1:44954 -> x.x.x.x:56918 -> 216.211.140.226:53
MULTIPLE:SINGLE
all udp 127.0.0.1:44954 -> x.x.x.x:57970 -> 209.128.76.101:53
MULTIPLE:MULTIPLE
all udp 127.0.0.1:44954 -> x.x.x.x:53076 -> 209.128.76.102:53
MULTIPLE:MULTIPLE


Dustin Lundquist

Reply via email to