Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CERT VU#800113 dns random port vuln. question

    Scheduled Pinned Locked Moved
    DHCP and DNS
    3
    6
    3.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dhlarsonhotmail.com
      last edited by

      i have an inside dns server that does resolution for the inside and outside.    the server sits behind the pfsense firewall.  i did the dns patch to the firewall and have the latest bind on my dns server.

      the test i did for my dns server is:
      dig @MyDNSserver +short porttest.dns-oarc.net TXT  (the test for the vulnerability i found on https://www.dns-oarc.net/oarc/services/porttest and http://isc.sans.org/diary.html?storyid=4765&rss, so i believe it is a valid test.

      however the rating i get on my dns server when it goes through pfsense is a fair rating. however if i move the dns server so it is outside the firewall, i get a rating of good.

      it appears the firewall is preventing or reducing the randomness, or what ever the term is  :)

      any ideas on what can be changed on the firewall to allow the dns server to hide behind the firewall and still be able to work as a recursive dns server – we'd like to not make it a forwarder.

      thank you all for your help.

      dean

      1 Reply Last reply Reply Quote 0
      • B
        billm
        last edited by

        Do a static NAT if you would prefer to use the randomness of your other host instead of the randomness of the firewall.  We'll still re-randomize your IP ID's by default.

        –Bill

        pfSense core developer
        blog - http://www.ucsecurity.com/
        twitter - billmarquette

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          It's still random. Info from pf developer Max Laier:

          "Note that "dig +short porttest.dns-oarc.net TXT" will give a stddev around
          18k for a patched bind and "only" 6-10k with a pf NAT in default config.
          This, however, does NOT mean that the pf NAT is degrading the security.
          It only illustrates that stddev is not a measure of randomness, but
          merely an indicator."

          1 Reply Last reply Reply Quote 0
          • D
            dhlarsonhotmail.com
            last edited by

            if i wanted to make the change, i'd do that firewall/nat/outbound then switch it to manual and put in what i wanted.  correct?  would that mean, i'd need to do the same for all the hosts sitting behind the firewall?

            i'm a rookie on this pfsense stuff…...

            thank you all

            1 Reply Last reply Reply Quote 0
            • D
              dhlarsonhotmail.com
              last edited by

              i did i 1:1 and a virtual host on the outside interface.  and now it appears the dns server is a bit more random.  (sounds like my teenager.  :)  )

              is that how you all would have done it?

              thank you all

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                Unless you use AON and enable static port, pf will rewrite the source port with its own randomness. What you're seeing is exactly what I previously mentioned - illustrating that stddev is not a measure of randomness, but merely an indicator. It's random either way you do it.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post