[ previous ] [ next ] [ threads ]
 From:  macgyver <macgyver at calibre dash solutions dot co dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  DNS Vulnerbility...
 Date:  Thu, 24 Jul 2008 22:50:47 +0100
Hi All, 

I have searched the online lists, but I can't see any reference to
issues with the latest DNS vuln..

I got patched BIND servers, and I can happily see random ports leaving
my servers (freebsd - ipfw)..
I can see them in my m0n0 firewall logs as I have set it to log all
outgoing DNS packets..


21:40:25.323159 DMZ, port 40548, port 53 UDP
21:40:25.722830 DMZ, port 24814, port 53 UDP
21:40:25.858093 DMZ, port 62811, port 53 UDP
21:40:25.858807 DMZ, port 37120, port 53 UDP
21:40:25.859510 DMZ, port 15329, port 53 UDP
21:40:25.860167 DMZ, port 49397, port 53 UDP
21:40:25.894653 DMZ, port 17337, port 53 UDP
21:40:25.897941 DMZ, port 31168, port 53 UDP
21:40:25.900510 DMZ, port 46358, port 53 UDP
21:40:25.901329 DMZ, port 41794, port 53 UDP
21:40:26.048241 DMZ, port 6685, port 53 UDP

... but...

when using the  DNS-OARC tool either via dig at the command line on my
server or GUI from behind m0n0 - again with a patched server I still get
"POOR" results..

What is seen by www.doxpora.com's tool is...

Your name server, at 21w.x.y.z, may be safe, but the NAT/Firewall in
front of it appears to be interfering with its port selection policy.
The difference between largest port and smallest port was only 114. 

Please talk to your firewall or gateway vendor -- all are working on
patches, mitigations, and workarounds.

21w.x.y.z:1518 TXID=27314
21w.x.y.z:1485 TXID=35481
21w.x.y.z:1522 TXID=23331
21w.x.y.z:1408 TXID=5093
21w.x.y.z:1512 TXID=20888


Can anyone assist in understanding why - if this is a problem with
m0n0wall or elsewhere.

My router is a "dumb" device really - ADSL one end - and ethernet other
- and has fully routable /29 addresses setup on the ethernet side - the
m0n0 having the other 5 usable addresses in the /29.

not sure how i'd packet capture from it to see if what is leaving m0n0
is "right" - let alone seeing what left the router..