[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DNS Vulnerbility...
 Date:  Fri, 25 Jul 2008 07:48:17 +0200
On 25.07.2008, at 01:48, Chris Buechler wrote:

> I believe ipfilter will randomize source ports by default on NATed
> traffic just like pf does, but I'm not sure of that.

It doesn't, yet, so running a DNS server behind m0n0wall while using  
PAT (not just 1:1 NAT) will undo the DNS server's query port  
randomization. ipfilter 4.1.30 apparently does source port  
randomization (from the change log: "2020447 IPFilter's NAT can undo  
name server random port selection") - I'll wait for it to appear in  
FreeBSD's CVS repository, and if it doesn't happen within a couple of  
days, I'll go through the trouble of importing 4.1.30 myself.

But this is an entirely different beast than Dnsmasq's own  
randomization (which works fine in 1.3b13) - only people who run their  
own recursive DNS server behind m0n0wall are affected.

- Manuel