I'm not exactly sure what you said, but I do know that if your
firewall or port forwarder is changing the source ports of outbound
queries to be something predictable, or to be all the same, then you
have a problem. The patch on your name server is not enough - you also
have to fix your firewall.

Linux iptables does not appear to change source ports.

Chris Buxton
Professional Services
Men & Mice

On Jul 25, 2008, at 11:30 PM, Brian Keefer wrote:

> I just looked at it a bit more closely...
>
> I'm using OpenBSD for my firewall and my nameservers. The firewall
> is 3.5, the nameservers are 4.3. The firewall is just doing
> standard PF nat for outbound requests. Whether I used the doxpara
> tool, or dns-oarc the source ports from my recursive resolver were
> the same (pre-patch), but on the external interface of my firewall,
> the packets to doxpara did not get randomized ports, while those to
> dns-oarc did. Post-patch the resolver itself has random source
> ports, so it's moot.
>
> There have been several suggestions for writing PF nat statements to
> cover this vulnerability, and other folks supposedly had luck with
> them, so perhaps something changed with PF's randomization since
> 3.5? I haven't had enough spare time to comb the commit comments...
>
> Dan did mention something in his blog about not having updated his
> tool to account for iptables or PF randomization, but I'm not sure
> why the tool being able to force the same source port is a bug with
> his script rather than a way to defeat said packet filter
> randomization...
>
> Brian Keefer
> Sr. Systems Engineer
> www.Proofpoint.com
> "Defend email. Protect data."
>