Re: Securing bind..

To: debian-security@lists.debian.org
Subject: Re: Securing bind..
From: Peter Wiersig <wiersig@peter.glamus.de>
Date: Mon, 31 Dec 2001 15:40:26 +0100
Message-id: <[🔎] 200112311437.PAA10628@dns.glamus.de>
In-reply-to: <[🔎] 20011231142018.A2120@lise.hsc.fr>
References: <[🔎] Pine.LNX.3.96.1011230091206.4175A-100000@trillian> <[🔎] 20011230213950.7484D3762A6@lyta.coker.com.au> <[🔎] 20011231142018.A2120@lise.hsc.fr>

On Monday, 31. December 2001 14:20, Thomas Seyrat wrote:

>   By forcing the source port for recursive requests to a given fixed
>   one, do you not make yourself more vulnerable to the spoofing attacks
>   you were talking about, because the attacker does not have to predict
>   the source port of the query ?

Please think about the follwing to lines bind sent to my syslog:

Dec 20 13:02:07 host named[571]: reloading nameserver
Dec 20 13:02:07 host named[571]: Forwarding source address is [0.0.0.0].1141
Dec 20 13:02:07 host named[571]: Ready to answer queries.

So I'm guessing bind always uses a fixed source port which is determined when 
starting the name-server.

The attacker has to know the source port for any attack, but when you are 
offering recursive queries to the internet, the attacker only has to be 
providing name-services for a domain to get your source-port: He asks your 
nameserver to resolve his domain and log the incoming packets from your 
server to his nameserver (or some nameserver he cracked).

If you are only providing recursive lookups for your network it would be 
harder to get your source-port.

Peter

Reply to:

References:
- Re: Securing bind..
  - From: Jor-el <jorel@trillian.megadodo.umb>
- Re: Securing bind..
  - From: Russell Coker <russell@coker.com.au>
- Re: Securing bind..
  - From: Thomas Seyrat <thomas@glou.net>

Prev by Date: Re: Securing bind..
Next by Date: faq? rpc.statd: gethostbyname error for
Previous by thread: Re: Securing bind..
Next by thread: Re: Securing bind..
Index(es):
- Date
- Thread