[ previous ] [ next ] [ threads ]
 
 From:  macgyver <macgyver at calibre dash solutions dot co dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  DNS Vulnerbility...
 Date:  Thu, 24 Jul 2008 22:50:47 +0100
Hi All, 

I have searched the online lists, but I can't see any reference to
issues with the latest DNS vuln..

I got patched BIND servers, and I can happily see random ports leaving
my servers (freebsd - ipfw)..
I can see them in my m0n0 firewall logs as I have set it to log all
outgoing DNS packets..

e.g.

21:40:25.323159 DMZ 192.168.2.20, port 40548 66.187.229.10, port 53 UDP
21:40:25.722830 DMZ 192.168.2.20, port 24814 192.31.80.32, port 53 UDP
21:40:25.858093 DMZ 192.168.2.20, port 62811 192.43.172.30, port 53 UDP
21:40:25.858807 DMZ 192.168.2.20, port 37120 192.43.172.30, port 53 UDP
21:40:25.859510 DMZ 192.168.2.20, port 15329 192.43.172.30, port 53 UDP
21:40:25.860167 DMZ 192.168.2.20, port 49397 192.43.172.30, port 53 UDP
21:40:25.894653 DMZ 192.168.2.20, port 17337 216.52.184.248, port 53 UDP
21:40:25.897941 DMZ 192.168.2.20, port 31168 216.52.184.248, port 53 UDP
21:40:25.900510 DMZ 192.168.2.20, port 46358 216.52.184.248, port 53 UDP
21:40:25.901329 DMZ 192.168.2.20, port 41794 216.52.184.248, port 53 UDP
21:40:26.048241 DMZ 192.168.2.20, port 6685 69.64.145.227, port 53 UDP


... but...

when using the  DNS-OARC tool either via dig at the command line on my
server or GUI from behind m0n0 - again with a patched server I still get
"POOR" results..

What is seen by www.doxpora.com's tool is...

<quote>
Your name server, at 21w.x.y.z, may be safe, but the NAT/Firewall in
front of it appears to be interfering with its port selection policy.
The difference between largest port and smallest port was only 114. 

Please talk to your firewall or gateway vendor -- all are working on
patches, mitigations, and workarounds.

21w.x.y.z:1518 TXID=27314
21w.x.y.z:1485 TXID=35481
21w.x.y.z:1522 TXID=23331
21w.x.y.z:1408 TXID=5093
21w.x.y.z:1512 TXID=20888

</quote>

Can anyone assist in understanding why - if this is a problem with
m0n0wall or elsewhere.

My router is a "dumb" device really - ADSL one end - and ethernet other
- and has fully routable /29 addresses setup on the ethernet side - the
m0n0 having the other 5 usable addresses in the /29.

not sure how i'd packet capture from it to see if what is leaving m0n0
is "right" - let alone seeing what left the router..

Regards

AM