DNS forwarder in 1.2 release does not do port randomisation



  • Using the capture function in pfsense I noticed that the DNS forwarder is listening on a fixed UDP port. Is this port the same for all pfsense installations,  predictable or from a small known range? Because if so, that would leave you vulnerable for Kaminsky style exploits.

    It is very easy to obtain both someone's IP address and the address of the primary resolver pfsense is using.

    https://www.dns-oarc.net/oarc/services/dnsentropy operates on that principle.



  • I believe that's what the 1.2.1 release is designed to fix.



  • From http://blog.pfsense.org/?p=207 i get the impression the 1.2.1 series are nightly builds for testing FreeBSD 7.0 etc, and not considered stable. Anyway, I looked at http://devwiki.pfsense.org/ChangesV121 and a DNS resolver fix is not mentioned.

    I think I will just disable the resolver for now and start using my ISP DNS servers from my clients untill there is a new stable release out.

    [edit] Are you referring to this thread about dnsmasq ?



  • Yes, I believe 1.2.1 isn't that far out and it will have the DNS fix integrated. Another option is to use another internal DNS server because the nature of pfSense's network address translation will add the entropy to the source ports for an easy fix.



  • @Roelof:

    DNS forwarder is listening on a fixed UDP port.

    Listening on a fixed port (53 for DNS) is what a service does because it has to, otherwise no one would be able to connect to it. The source port(s) used for outgoing DNS queries is a what this discovered vulnerability is all about, not the listening port.



  • We've had updates on this issue on our blog since the day the patches first came out. Latest info here.
    http://blog.pfsense.org/?p=220

    patch here if you want to update, it isn't directly relevant to this particular problem though:
    http://blog.pfsense.org/?p=210



  • @cmb
    Thanks for that info! I'll try out the new dnsmasq [edit] Just installed it. The listening port is random now. Thanks! [/edit]

    I am not so sure dnsmasq would not be vulnerable though. Since you mostly know which DNS servers an ISP uses, that just means that for a home user you don't even have to find out which DNS server is authoritive for the zone you want to fake. You can just spoof the ISP DNS servers IP addresses. The provider can be obtained from a simple whois query.

    In a sense, that makes an unpatched dnsmasq is even more vulnerable.

    I suspect we will be seeing attacks on provider IP ranges. Here in the Netherlands, many providers deliver a bundle ADSL service with a specific router type. Resulting in a range of IP addresses, all listening on a identical fixed UDP port for replies originating from the same IP address. Ideal cannon fodder for shotgun-approach attacks.

    Rolling your own router suddenly makes a lot more sense. pfsense rules :-)

    @kpa:
    53 is the port a DNS server listens on. I am talking about the udp port a resolver listens on for the returing answer.



  • @Roelof:

    I am not so sure dnsmasq would not be vulnerable though. Since you mostly know which DNS servers an ISP uses, that just means that for a home user you don't even have to find out which DNS server is authoritive for the zone you want to fake. You can just spoof the ISP DNS servers IP addresses. The provider can be obtained from a simple whois query.

    I said "not vulnerable to this particular problem".  :)  This particular problem is only for recursive queries, which dnsmasq doesn't issue. Yes, it could potentially be possible to do something of the nature you describe though. The likelihood of something like this being feasible depends on the ISP, and the attacker must know you're running a DNS forwarder, know what source port that forwarder uses, and know which DNS server you're using.

    This isn't remotely as big of an issue because it requires information about the environment you're attacking. In most all cases this is info you can't get unless you can intercept traffic from your connection to your ISP's DNS server. Anyone with that kind of access most likely has the ability to poison your DNS cache (and worse) in many easier ways.

    There are other reasons this is more difficult, don't have time to get into it further this evening. In short - if you're super paranoid you'll want to upgrade your dnsmasq. This would require a much more elaborate and targeted attack to successfully exploit though.



  • I think there is also a patch needed for the ipfilter:

    "2020447 IPFilter's NAT can undo name server random port selection"
    http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/ipfilter/ip_fil.c

    This is the thread on the monowall-mailing-list:
    http://m0n0.ch/wall/list/showmsg.php?id=347/77



  • We don't use ipfilter, we use pf which has done source port randomization by default for 8 years. ipfilter is finally catching up.  :)


Log in to reply