BIND Port Randomization
Ryan Sharpe
rsharpe at largnet.on.ca
Fri Jul 25 13:53:41 UTC 2008
Thanks Barry!
The problem was indeed the query-source.
Ryan Sharpe, CCNA
Technical Analyst
LARG*net
(519) 661-2111 x 86356
support pager: (519) 690-3216
-----Original Message-----
From: redhat-sysadmin-list-bounces at redhat.com
[mailto:redhat-sysadmin-list-bounces at redhat.com] On Behalf Of Barry Brimer
Sent: Friday, July 25, 2008 09:28 AM
To: redhat-sysadmin-list at redhat.com
Subject: Re: BIND Port Randomization
> In response to the Errta RHSA-2008:0533 I have installed the updated ISC
> Bind packages from Red Hat as well as updated the selinux targeted
policy.
> However when I test the server using http://www.doxpara.com/ it still
> shows up as being vulnerable to DNS cache poisoning.
>
> Before this I had SELinux completely disabled, so I though I may need to
> turn it on. I have since set it to permissive mode and rebooted, but
still
> the DNS source ports aren't randomizing. So again I changed the mode to
> enforcing, but still when I run the test it shows that I am vulnerable.
> What am I missing, is there a BIND directive I need?
The latest BIND does work with the latest SELinux packages .. in fact on
RHEL 5 you *NEED* the latest SELinux packages or named is not allowed to
use random ports.
Make sure there is not a line in your named.conf that says "query-source
address * port 53" .. that is basically instructing your named to only use
port 53.
If you are behind a NAT device, it may reorder the source ports being used
when going through the NAT .. which is a bigger problem to fix and
dependant upon your NAT vendor. Make sure that you are not doing DNS
forwarding or your name server will not be the one making the final query.
HTH,
Barry
--
redhat-sysadmin-list mailing list
redhat-sysadmin-list at redhat.com
https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list
More information about the redhat-sysadmin-list
mailing list