Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS vulnerable, any chance that a patch is being considered?

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eprimetime
      last edited by

      If you go here:  www.doxpara.com you can read details on a new DNS server security flaw that has been discovered, which pretty much covers ALL dns server implementations.

      Since there is not any discussion here in this forum on the issue, wanted to make sure that people were aware of it.  You can test your DNS server by going to the above web site, and clicking the "Test My DNS" buttton.  When I did so, it reported the following:

      Your name server, at 68.87.72.133, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 465.

      Please talk to your firewall or gateway vendor – all are working on patches, mitigations, and workarounds.
      Requests seen for 1a8906b78bf4.toorrr.com:
      68.87.72.133:25728 TXID=19664
      68.87.72.133:25700 TXID=46559
      68.87.72.133:25717 TXID=57231
      68.87.72.133:25461 TXID=4704
      68.87.72.133:25263 TXID=24983

      Well, pfsense.org is my firewall vendor, or as close as it gets.  I understand that it is made up of many open-source packages, so they are not responsible for the individual peices per se, but as a whole package I feel they are.  I would be happy to help beta-test any new fixes for this that the developers feel need to be made.  I am not sure if the port range notice is a setting in pfSense, or hard coded in the dns software that it uses.

      Sincerely,

      John Elliott

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Can you be more specific which article you mean on this page?

        Or are you talking about this issue?
        http://blog.pfsense.org/?p=209
        http://blog.pfsense.org/?p=210

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          What GruensFroeschli linked is appropriate if you're using the DNS forwarder. If you're using the DNS forwarder, what it's reporting on is your ISP's DNS servers.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.