BIND Port Randomization
Barry Brimer
lists at brimer.org
Fri Jul 25 13:28:00 UTC 2008
> In response to the Errta RHSA-2008:0533 I have installed the updated ISC
> Bind packages from Red Hat as well as updated the selinux targeted policy.
> However when I test the server using http://www.doxpara.com/ it still
> shows up as being vulnerable to DNS cache poisoning.
>
> Before this I had SELinux completely disabled, so I though I may need to
> turn it on. I have since set it to permissive mode and rebooted, but still
> the DNS source ports aren't randomizing. So again I changed the mode to
> enforcing, but still when I run the test it shows that I am vulnerable.
> What am I missing, is there a BIND directive I need?
The latest BIND does work with the latest SELinux packages .. in fact on
RHEL 5 you *NEED* the latest SELinux packages or named is not allowed to
use random ports.
Make sure there is not a line in your named.conf that says "query-source
address * port 53" .. that is basically instructing your named to only use
port 53.
If you are behind a NAT device, it may reorder the source ports being used
when going through the NAT .. which is a bigger problem to fix and
dependant upon your NAT vendor. Make sure that you are not doing DNS
forwarding or your name server will not be the one making the final query.
HTH,
Barry
More information about the redhat-sysadmin-list
mailing list