[ previous ] [ next ] [ threads ]
 
 From:  "apiasecki at midatlanticbb dot com" <apiasecki at midatlanticbb dot com>
 To:  macgyver <macgyver at calibre dash solutions dot co dot uk>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DNS Vulnerbility...
 Date:  Thu, 24 Jul 2008 18:29:33 -0400
Read the pfSenses lists, A LOT of discussion has been going on about this.

Adam

macgyver wrote:
> Hi All, 
>
> I have searched the online lists, but I can't see any reference to
> issues with the latest DNS vuln..
>
> I got patched BIND servers, and I can happily see random ports leaving
> my servers (freebsd - ipfw)..
> I can see them in my m0n0 firewall logs as I have set it to log all
> outgoing DNS packets..
>
> e.g.
>
> 21:40:25.323159 DMZ 192.168.2.20, port 40548 66.187.229.10, port 53 UDP
> 21:40:25.722830 DMZ 192.168.2.20, port 24814 192.31.80.32, port 53 UDP
> 21:40:25.858093 DMZ 192.168.2.20, port 62811 192.43.172.30, port 53 UDP
> 21:40:25.858807 DMZ 192.168.2.20, port 37120 192.43.172.30, port 53 UDP
> 21:40:25.859510 DMZ 192.168.2.20, port 15329 192.43.172.30, port 53 UDP
> 21:40:25.860167 DMZ 192.168.2.20, port 49397 192.43.172.30, port 53 UDP
> 21:40:25.894653 DMZ 192.168.2.20, port 17337 216.52.184.248, port 53 UDP
> 21:40:25.897941 DMZ 192.168.2.20, port 31168 216.52.184.248, port 53 UDP
> 21:40:25.900510 DMZ 192.168.2.20, port 46358 216.52.184.248, port 53 UDP
> 21:40:25.901329 DMZ 192.168.2.20, port 41794 216.52.184.248, port 53 UDP
> 21:40:26.048241 DMZ 192.168.2.20, port 6685 69.64.145.227, port 53 UDP
>
>
> ... but...
>
> when using the  DNS-OARC tool either via dig at the command line on my
> server or GUI from behind m0n0 - again with a patched server I still get
> "POOR" results..
>
> What is seen by www.doxpora.com's tool is...
>
> <quote>
> Your name server, at 21w.x.y.z, may be safe, but the NAT/Firewall in
> front of it appears to be interfering with its port selection policy.
> The difference between largest port and smallest port was only 114. 
>
> Please talk to your firewall or gateway vendor -- all are working on
> patches, mitigations, and workarounds.
>
> 21w.x.y.z:1518 TXID=27314
> 21w.x.y.z:1485 TXID=35481
> 21w.x.y.z:1522 TXID=23331
> 21w.x.y.z:1408 TXID=5093
> 21w.x.y.z:1512 TXID=20888
>
> </quote>
>
> Can anyone assist in understanding why - if this is a problem with
> m0n0wall or elsewhere.
>
> My router is a "dumb" device really - ADSL one end - and ethernet other
> - and has fully routable /29 addresses setup on the ethernet side - the
> m0n0 having the other 5 usable addresses in the /29.
>
> not sure how i'd packet capture from it to see if what is leaving m0n0
> is "right" - let alone seeing what left the router..
>
> Regards
>
> AM
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>