[ previous ] [ next ] [ threads ]
 From:  "Angus MacGyver" <macgyver at calibre dash solutions dot co dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DNS Vulnerbility...
 Date:  Fri, 25 Jul 2008 09:41:22 -0000 (UTC)
On Fri, July 25, 2008 05:48, Manuel Kasper wrote:
> On 25.07.2008, at 01:48, Chris Buechler wrote:
>> I believe ipfilter will randomize source ports by default on NATed
>> traffic just like pf does, but I'm not sure of that.
> It doesn't, yet, so running a DNS server behind m0n0wall while using
> PAT (not just 1:1 NAT) will undo the DNS server's query port
> randomization. ipfilter 4.1.30 apparently does source port
> randomization (from the change log: "2020447 IPFilter's NAT can undo
> name server random port selection") - I'll wait for it to appear in
> FreeBSD's CVS repository, and if it doesn't happen within a couple of
> days, I'll go through the trouble of importing 4.1.30 myself.
> But this is an entirely different beast than Dnsmasq's own
> randomization (which works fine in 1.3b13) - only people who run their
> own recursive DNS server behind m0n0wall are affected.
> - Manuel

Great  - thanks for the update.

Will both DnsMasq and the ipfilter fixes be ported back to 1.2.x series ?
(site says not to use 1.3beta for production - hence the question)

Now the only other question remains - would it be worthwhile to set
internal DNS servers to use m0n0wall's Dnsmasq as a forwarder to get
around this temporarily ?

I guess that might save a lot of sysadmin's work re-jigging a network with
DHCP scopes for clients etc - or even having to "trust" 3rd party DNS


I'm not perfect, but I am forgiven.