Re: Insufficient DNS Source Port Randmoization
On 7/28/11 9:43 AM, Stephane Bortzmeyer wrote: > Did you try to obtain an independent confirmation from a reliable > source? (I do not know this product, but I distrust private black > boxes.) I recommend: NeXpose is a good vulnerability auditor, it is a product by Rapid7 the owners of metasploit. HD moore, original author of metasploit is the CSO and chief architect at rapid7. As others have suggested i suspect this is caused by a firewall, or IDS changing the source port, i believe Checkpoint Smart defence dose this. The best way to rule out bind, would be to run these checks locally. The community edition of NeXpose is available for use with up-to 32 IP addresses, so you could just install it in a VM and run the tests locally http://www.rapid7.com/products/nexpose-community-edition.jsp ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insufficient DNS Source Port Randmoization
On Jul 28, 2011, at 3:43 AM, Stephane Bortzmeyer wrote: > On Thu, Jul 28, 2011 at 03:33:11PM +0800, > Pete Fong wrote > a message of 27 lines which said: > >> I have adjusted named.conf configuration file as below : >> >> query-source address * port * ; >> query-source-v6 address * port *; > > BIND randomizes properly by default. I would suggest to delete all > these lines. > >> The NeXpose software still showed the same vulnerability. > > Did you try to obtain an independent confirmation from a reliable > source? (I do not know this product, but I distrust private black > boxes.) I recommend: > > https://www.dns-oarc.net/oarc/services/porttest > https://www.dns-oarc.net/oarc/services/dnsentropy +1. W > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insufficient DNS Source Port Randmoization
If I understand correctly, the connection between the scanner PC and your DNS server is not really the issue here. What can cause problems is a firewall between your DNS server and the Internet. Danilo On 07/28/2011 10:08 AM, Pete Fong wrote: Hi, Matus UHLAR No, The scanner PC and DNS server is connected by crossover cable in my environment. Therefore I have not any idea. Thanks a lot, Pete Fong 2011/7/28 Matus UHLAR - fantomas: On 28.07.11 15:33, Pete Fong wrote: My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for DNS server. I have installed bind-9.7.3P3-0.2.1 Our external auditor used "NeXpose" for scanning my system. It showed "Insufficient DNS Source Port Randomization Vulnerability". The insufficient randomization was afaik fixed in 9.5.0. Therefore I have followed BIND 9 Configuration Reference Guide, I have adjusted named.conf configuration file as below : query-source address * port * ; query-source-v6 address * port *; use-v4-udp-ports { range 1024 65535; }; use-v6-upd-ports ( range 1024 65535; }; Did you have these before? I think that BIND tries those ports by default, so configuring them should not affect it. But I am not lucky, The NeXpose software still showed the same vulnerability. Anybody has some issue ? Anybody can help me ? Is your resolving server behind firewall? Does the firewall change source port? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Danilo Godec, sistemska podpora / system administration Predlog! Obiscite prenovljeno spletno stran www.agenda.si ODPRTA KODA IN LINUX STORITVE : POSLOVNE RESITVE : UPRAVLJANJE IT : INFRASTRUKTURA IT : IZOBRAZEVANJE : PROGRAMSKA OPREMA Visit our updated web page at www.agenda.si OPEN SOURCE AND LINUX SERVICES : BUSINESS SOLUTIONS : IT MANAGEMENT : IT INFRASTRUCTURE : TRAINING : SOFTWARE ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insufficient DNS Source Port Randmoization
Hi, Matus UHLAR No, The scanner PC and DNS server is connected by crossover cable in my environment. Therefore I have not any idea. Thanks a lot, Pete Fong 2011/7/28 Matus UHLAR - fantomas : > On 28.07.11 15:33, Pete Fong wrote: >> >> My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for >> DNS server. I have installed bind-9.7.3P3-0.2.1 >> >> Our external auditor used "NeXpose" for scanning my system. It showed >> "Insufficient DNS Source Port Randomization Vulnerability". > > The insufficient randomization was afaik fixed in 9.5.0. > >> Therefore >> I have followed BIND 9 Configuration Reference Guide, I have adjusted >> named.conf configuration file as below : >> >> query-source address * port * ; >> query-source-v6 address * port *; >> >> use-v4-udp-ports { range 1024 65535; }; >> use-v6-upd-ports ( range 1024 65535; }; > > Did you have these before? I think that BIND tries those ports by default, > so configuring them should not affect it. > >> But I am not lucky, The NeXpose software still showed the same >> vulnerability. Anybody has some issue ? Anybody can help me ? > > Is your resolving server behind firewall? Does the firewall change source > port? > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Nothing is fool-proof to a talented fool. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insufficient DNS Source Port Randmoization
On Thu, Jul 28, 2011 at 03:33:11PM +0800, Pete Fong wrote a message of 27 lines which said: > I have adjusted named.conf configuration file as below : > > query-source address * port * ; > query-source-v6 address * port *; BIND randomizes properly by default. I would suggest to delete all these lines. > The NeXpose software still showed the same vulnerability. Did you try to obtain an independent confirmation from a reliable source? (I do not know this product, but I distrust private black boxes.) I recommend: https://www.dns-oarc.net/oarc/services/porttest https://www.dns-oarc.net/oarc/services/dnsentropy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insufficient DNS Source Port Randmoization
On 28.07.11 15:33, Pete Fong wrote: My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for DNS server. I have installed bind-9.7.3P3-0.2.1 Our external auditor used "NeXpose" for scanning my system. It showed "Insufficient DNS Source Port Randomization Vulnerability". The insufficient randomization was afaik fixed in 9.5.0. Therefore I have followed BIND 9 Configuration Reference Guide, I have adjusted named.conf configuration file as below : query-source address * port * ; query-source-v6 address * port *; use-v4-udp-ports { range 1024 65535; }; use-v6-upd-ports ( range 1024 65535; }; Did you have these before? I think that BIND tries those ports by default, so configuring them should not affect it. But I am not lucky, The NeXpose software still showed the same vulnerability. Anybody has some issue ? Anybody can help me ? Is your resolving server behind firewall? Does the firewall change source port? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Insufficient DNS Source Port Randmoization
Hi Everybody, My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for DNS server. I have installed bind-9.7.3P3-0.2.1 Our external auditor used "NeXpose" for scanning my system. It showed "Insufficient DNS Source Port Randomization Vulnerability". Therefore I have followed BIND 9 Configuration Reference Guide, I have adjusted named.conf configuration file as below : query-source address * port * ; query-source-v6 address * port *; use-v4-udp-ports { range 1024 65535; }; use-v6-upd-ports ( range 1024 65535; }; But I am not lucky, The NeXpose software still showed the same vulnerability. Anybody has some issue ? Anybody can help me ? Thanks a lot, Pete Fong ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users