CERT VU#800113 dns random port vuln. question
-
i have an inside dns server that does resolution for the inside and outside. the server sits behind the pfsense firewall. i did the dns patch to the firewall and have the latest bind on my dns server.
the test i did for my dns server is:
dig @MyDNSserver +short porttest.dns-oarc.net TXT (the test for the vulnerability i found on https://www.dns-oarc.net/oarc/services/porttest and http://isc.sans.org/diary.html?storyid=4765&rss, so i believe it is a valid test.however the rating i get on my dns server when it goes through pfsense is a fair rating. however if i move the dns server so it is outside the firewall, i get a rating of good.
it appears the firewall is preventing or reducing the randomness, or what ever the term is :)
any ideas on what can be changed on the firewall to allow the dns server to hide behind the firewall and still be able to work as a recursive dns server – we'd like to not make it a forwarder.
thank you all for your help.
dean
-
Do a static NAT if you would prefer to use the randomness of your other host instead of the randomness of the firewall. We'll still re-randomize your IP ID's by default.
–Bill
-
It's still random. Info from pf developer Max Laier:
"Note that "dig +short porttest.dns-oarc.net TXT" will give a stddev around
18k for a patched bind and "only" 6-10k with a pf NAT in default config.
This, however, does NOT mean that the pf NAT is degrading the security.
It only illustrates that stddev is not a measure of randomness, but
merely an indicator." -
if i wanted to make the change, i'd do that firewall/nat/outbound then switch it to manual and put in what i wanted. correct? would that mean, i'd need to do the same for all the hosts sitting behind the firewall?
i'm a rookie on this pfsense stuff…...
thank you all
-
i did i 1:1 and a virtual host on the outside interface. and now it appears the dns server is a bit more random. (sounds like my teenager. :) )
is that how you all would have done it?
thank you all
-
Unless you use AON and enable static port, pf will rewrite the source port with its own randomness. What you're seeing is exactly what I previously mentioned - illustrating that stddev is not a measure of randomness, but merely an indicator. It's random either way you do it.