CERT VU#800113 dns random port vuln. question

  • i have an inside dns server that does resolution for the inside and outside.    the server sits behind the pfsense firewall.  i did the dns patch to the firewall and have the latest bind on my dns server.

    the test i did for my dns server is:
    dig @MyDNSserver +short porttest.dns-oarc.net TXT  (the test for the vulnerability i found on https://www.dns-oarc.net/oarc/services/porttest and http://isc.sans.org/diary.html?storyid=4765&rss, so i believe it is a valid test.

    however the rating i get on my dns server when it goes through pfsense is a fair rating. however if i move the dns server so it is outside the firewall, i get a rating of good.

    it appears the firewall is preventing or reducing the randomness, or what ever the term is  :)

    any ideas on what can be changed on the firewall to allow the dns server to hide behind the firewall and still be able to work as a recursive dns server – we'd like to not make it a forwarder.

    thank you all for your help.


  • Do a static NAT if you would prefer to use the randomness of your other host instead of the randomness of the firewall.  We'll still re-randomize your IP ID's by default.


  • It's still random. Info from pf developer Max Laier:

    "Note that "dig +short porttest.dns-oarc.net TXT" will give a stddev around
    18k for a patched bind and "only" 6-10k with a pf NAT in default config.
    This, however, does NOT mean that the pf NAT is degrading the security.
    It only illustrates that stddev is not a measure of randomness, but
    merely an indicator."

  • if i wanted to make the change, i'd do that firewall/nat/outbound then switch it to manual and put in what i wanted.  correct?  would that mean, i'd need to do the same for all the hosts sitting behind the firewall?

    i'm a rookie on this pfsense stuff…...

    thank you all

  • i did i 1:1 and a virtual host on the outside interface.  and now it appears the dns server is a bit more random.  (sounds like my teenager.  :)  )

    is that how you all would have done it?

    thank you all

  • Unless you use AON and enable static port, pf will rewrite the source port with its own randomness. What you're seeing is exactly what I previously mentioned - illustrating that stddev is not a measure of randomness, but merely an indicator. It's random either way you do it.

Log in to reply