lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2c0942db0807311436p6c61d2f0o9bfe67ffeaaf0e91@mail.gmail.com>
Date:	Thu, 31 Jul 2008 14:36:21 -0700
From:	"Ray Lee" <ray-lk@...rabbit.org>
To:	"Willy Tarreau" <w@....eu>
Cc:	"Richard Hartmann" <richih.mailinglist@...il.com>,
	linux-kernel@...r.kernel.org
Subject: Re: iptables, NAT, DNS & Dan Kaminsky

On Thu, Jul 31, 2008 at 2:14 PM, Willy Tarreau <w@....eu> wrote:
>> > And BTW I don't think that many of the people
>> > reading LKML care a dime about the "exploit" for poorly configured
>> > DNS servers.
>>
>> It is an exploit that is being abused as we speak and,
>
> That does not mean that abused servers were properly set up.

Properly configured servers are vulnerable, that's why this is such a
big deal. This a problem with the design of the DNS protocol (&
associated behaviors) itself -- the only mitigation strategy sysadmins
have right now is forcing a randomization of the source port (outside
of the DNS resolver itself), or placing the DNS resolver behind a NAT
masquerading firewall that does strict response dropping if a response
comes from the wrong host. (There used to be an option in the kernel
to deal with that -- loose source routing or somesuch, but I think
that's a by-gone from the 2.4 era.)

So, to answer Richard, yes something like that should work. I'm not an
iptables guru by any means, but what you should do is set up a machine
with that, and sniff the output of the DNS server before and after
enabling that line to verify that it works.

The better solution, of course, is to update your DNS server to allow
it to do the source port randomization itself.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ