North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: SANS: DNS Bug Now Public?
After a bit of looking around, I have not been able to find a list of firewalls/versions which are known to provide appropriate randomness in their PAT algorithms (or more importantly, those that do not). I would be very interested in such a list if anyone knows of one. As a side note, most people here realize this but, while people mention firewalls, keep in mind that if a load-balancer or other device is your egress PAT device, you might be interested in checking those systems port-translation randomness as well. --D On Wed, Jul 23, 2008 at 10:11 AM, Joe Abley <jabley@xxxxxxxxxxxxxxx> wrote: > > On 23 Jul 2008, at 12:16, Jorge Amodio wrote: > > Let me add that folks need to understand that the "patch" is not a fix to a >> problem that has been there for long time and >> it is just a workaround to reduce the chances for a potential >> attack, and it must be combined with best practices and >> recommendations to implent a more robust DNS setup. >> > > Having just seen some enterprise types spend time patching their > nameservers, it's also perhaps worth spelling out that "patch" in this case > might require more than upgrading resolver code -- it could also involve > reconfigurations, upgrades or replacements of NAT boxes too. If your NAT > reassigns source ports in a predictable fashion, then no amount of BIND9 > patching is going to help. > > (Reconfiguring your internal resolvers to forward queries to an external, > patched resolver which can see the world other than through NAT-coloured > glasses may also be a way out.) > > > Joe > > > -- -- Darren Bolding -- -- darren@xxxxxxxxxxx --