lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2d460de70808010530j717dc5bdm73a44178605089e1@mail.gmail.com>
Date:	Fri, 1 Aug 2008 14:30:24 +0200
From:	"Richard Hartmann" <richih.mailinglist@...il.com>
To:	"Ray Lee" <ray-lk@...rabbit.org>
Cc:	"Willy Tarreau" <w@....eu>, linux-kernel@...r.kernel.org
Subject: Re: iptables, NAT, DNS & Dan Kaminsky

We are drifting from the initial topic, but oh well.. :)

On Thu, Jul 31, 2008 at 23:36, Ray Lee <ray-lk@...rabbit.org> wrote:


> or placing the DNS resolver behind a NAT
> masquerading firewall that does strict response dropping if a response
> comes from the wrong host. (There used to be an option in the kernel
> to deal with that -- loose source routing or somesuch, but I think
> that's a by-gone from the 2.4 era.)

You do not need a NAT to do this, you simply need to block packets
with a source address that does not match the routes your router has
in his routing table. Other than ISP end-costumers and a few other
very clearly defined situations, this is highly non-trivial, though. Some
people still do this, but in most cases, it has proved impractical and
a source of many 'strange' errors.


> So, to answer Richard, yes something like that should work. I'm not an
> iptables guru by any means, but what you should do is set up a machine
> with that, and sniff the output of the DNS server before and after
> enabling that line to verify that it works.

I know that this is possible.
What I wanted to know is what kernel versions do what [automagically]
and in what way.


> The better solution, of course, is to update your DNS server to allow
> it to do the source port randomization itself.

Of course. But I want to fully understand all cases and this is the last
area I still lack information on.


Thanks,
Richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ