Re: Insufficient DNS Source Port Randmoization
On 7/28/11 9:43 AM, Stephane Bortzmeyer wrote: > Did you try to obtain an independent confirmation from a reliable > source? (I do not know this product, but I distrust private black > boxes.) I recommend: NeXpose is a good vulnerability auditor, it is a product by Rapid7 the owners of metasploit. HD moore, original author of metasploit is the CSO and chief architect at rapid7. As others have suggested i suspect this is caused by a firewall, or IDS changing the source port, i believe Checkpoint Smart defence dose this. The best way to rule out bind, would be to run these checks locally. The community edition of NeXpose is available for use with up-to 32 IP addresses, so you could just install it in a VM and run the tests locally http://www.rapid7.com/products/nexpose-community-edition.jsp ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insufficient DNS Source Port Randmoization
On Jul 28, 2011, at 3:43 AM, Stephane Bortzmeyer wrote: > On Thu, Jul 28, 2011 at 03:33:11PM +0800, > Pete Fong wrote > a message of 27 lines which said: > >> I have adjusted named.conf configuration file as below : >> >> query-source address * port * ; >> query-source-v6 address * port *; > > BIND randomizes properly by default. I would suggest to delete all > these lines. > >> The NeXpose software still showed the same vulnerability. > > Did you try to obtain an independent confirmation from a reliable > source? (I do not know this product, but I distrust private black > boxes.) I recommend: > > https://www.dns-oarc.net/oarc/services/porttest > https://www.dns-oarc.net/oarc/services/dnsentropy +1. W > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insufficient DNS Source Port Randmoization
If I understand correctly, the connection between the scanner PC and
your DNS server is not really the issue here.
What can cause problems is a firewall between your DNS server and the
Internet.
Danilo
On 07/28/2011 10:08 AM, Pete Fong wrote:
Hi, Matus UHLAR
No, The scanner PC and DNS server is connected by crossover cable in
my environment. Therefore I have not any idea.
Thanks a lot,
Pete Fong
2011/7/28 Matus UHLAR - fantomas:
On 28.07.11 15:33, Pete Fong wrote:
My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for
DNS server. I have installed bind-9.7.3P3-0.2.1
Our external auditor used "NeXpose" for scanning my system. It showed
"Insufficient DNS Source Port Randomization Vulnerability".
The insufficient randomization was afaik fixed in 9.5.0.
Therefore
I have followed BIND 9 Configuration Reference Guide, I have adjusted
named.conf configuration file as below :
query-source address * port * ;
query-source-v6 address * port *;
use-v4-udp-ports { range 1024 65535; };
use-v6-upd-ports ( range 1024 65535; };
Did you have these before? I think that BIND tries those ports by default,
so configuring them should not affect it.
But I am not lucky, The NeXpose software still showed the same
vulnerability. Anybody has some issue ? Anybody can help me ?
Is your resolving server behind firewall? Does the firewall change source
port?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Danilo Godec, sistemska podpora / system administration
Predlog! Obiscite prenovljeno spletno stran www.agenda.si
ODPRTA KODA IN LINUX
STORITVE : POSLOVNE RESITVE : UPRAVLJANJE IT : INFRASTRUKTURA IT :
IZOBRAZEVANJE : PROGRAMSKA OPREMA
Visit our updated web page at www.agenda.si
OPEN SOURCE AND LINUX
SERVICES : BUSINESS SOLUTIONS : IT MANAGEMENT : IT INFRASTRUCTURE : TRAINING :
SOFTWARE
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Insufficient DNS Source Port Randmoization
Hi, Matus UHLAR
No, The scanner PC and DNS server is connected by crossover cable in
my environment. Therefore I have not any idea.
Thanks a lot,
Pete Fong
2011/7/28 Matus UHLAR - fantomas :
> On 28.07.11 15:33, Pete Fong wrote:
>>
>> My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for
>> DNS server. I have installed bind-9.7.3P3-0.2.1
>>
>> Our external auditor used "NeXpose" for scanning my system. It showed
>> "Insufficient DNS Source Port Randomization Vulnerability".
>
> The insufficient randomization was afaik fixed in 9.5.0.
>
>> Therefore
>> I have followed BIND 9 Configuration Reference Guide, I have adjusted
>> named.conf configuration file as below :
>>
>> query-source address * port * ;
>> query-source-v6 address * port *;
>>
>> use-v4-udp-ports { range 1024 65535; };
>> use-v6-upd-ports ( range 1024 65535; };
>
> Did you have these before? I think that BIND tries those ports by default,
> so configuring them should not affect it.
>
>> But I am not lucky, The NeXpose software still showed the same
>> vulnerability. Anybody has some issue ? Anybody can help me ?
>
> Is your resolving server behind firewall? Does the firewall change source
> port?
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Nothing is fool-proof to a talented fool.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Insufficient DNS Source Port Randmoization
On Thu, Jul 28, 2011 at 03:33:11PM +0800, Pete Fong wrote a message of 27 lines which said: > I have adjusted named.conf configuration file as below : > > query-source address * port * ; > query-source-v6 address * port *; BIND randomizes properly by default. I would suggest to delete all these lines. > The NeXpose software still showed the same vulnerability. Did you try to obtain an independent confirmation from a reliable source? (I do not know this product, but I distrust private black boxes.) I recommend: https://www.dns-oarc.net/oarc/services/porttest https://www.dns-oarc.net/oarc/services/dnsentropy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insufficient DNS Source Port Randmoization
On 28.07.11 15:33, Pete Fong wrote:
My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for
DNS server. I have installed bind-9.7.3P3-0.2.1
Our external auditor used "NeXpose" for scanning my system. It showed
"Insufficient DNS Source Port Randomization Vulnerability".
The insufficient randomization was afaik fixed in 9.5.0.
Therefore
I have followed BIND 9 Configuration Reference Guide, I have adjusted
named.conf configuration file as below :
query-source address * port * ;
query-source-v6 address * port *;
use-v4-udp-ports { range 1024 65535; };
use-v6-upd-ports ( range 1024 65535; };
Did you have these before? I think that BIND tries those ports by
default, so configuring them should not affect it.
But I am not lucky, The NeXpose software still showed the same
vulnerability. Anybody has some issue ? Anybody can help me ?
Is your resolving server behind firewall? Does the firewall change
source port?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Insufficient DNS Source Port Randmoization
Hi Everybody,
My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for
DNS server. I have installed bind-9.7.3P3-0.2.1
Our external auditor used "NeXpose" for scanning my system. It showed
"Insufficient DNS Source Port Randomization Vulnerability". Therefore
I have followed BIND 9 Configuration Reference Guide, I have adjusted
named.conf configuration file as below :
query-source address * port * ;
query-source-v6 address * port *;
use-v4-udp-ports { range 1024 65535; };
use-v6-upd-ports ( range 1024 65535; };
But I am not lucky, The NeXpose software still showed the same
vulnerability. Anybody has some issue ? Anybody can help me ?
Thanks a lot,
Pete Fong
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
