Risks of patched servers behind de-randomizing NAT - DNS

This is a discussion on Risks of patched servers behind de-randomizing NAT - DNS ; I seem to have lost a message where somebody from ISC (Paul?) was going to release an updated/new advisory regarding the source-port de-randomizing effects of many NAT implementations will have upon patched servers. Many of the folks I'm working with ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Risks of patched servers behind de-randomizing NAT

  1. Risks of patched servers behind de-randomizing NAT

    I seem to have lost a message where somebody from ISC (Paul?) was going to
    release an updated/new advisory regarding the source-port de-randomizing
    effects of many NAT implementations will have upon patched servers.

    Many of the folks I'm working with are unconcerned about this problem,
    because they cannot come up with an attack scenario against a recursive
    server behind a [NATting] firewall. They are also apparently hearing
    claims from our firewall vendor (starts with a letter between I and K) that
    this is not a big deal for servers behind a [their?] firewall. (Were they
    not invited to The Big Meeting?)

    Can we get a reading from Those Who Know about how likely it is that
    BadGuys can trick a client inside such a firewall to facilitate an attack
    against an internal recursive server (said server can query through the firewall).

    Thanks.



  2. Re: Risks of patched servers behind de-randomizing NAT

    David Carmean pisze:
    > I seem to have lost a message where somebody from ISC (Paul?) was going to
    > release an updated/new advisory regarding the source-port de-randomizing
    > effects of many NAT implementations will have upon patched servers.


    But why someone puts a DNS server behind a NAT? It's a bit nonsensical...
    --
    Regards,
    Jaroslaw Rafa
    raj@ap.krakow.pl
    --
    Zapraszam na moja nowa strone: http://www.ap.krakow.pl/~raj/


  3. Re: Risks of patched servers behind de-randomizing NAT

    On Thu, Jul 31, 2008 at 10:28:51PM +0200, Jaroslaw Rafa wrote:

    > But why someone puts a DNS server behind a NAT? It's a bit nonsensical...


    Think "recursive server inside large enterprise, to resolve internal-only
    domains in addition to Internet queries".



  4. Re: Risks of patched servers behind de-randomizing NAT


    > But why someone puts a DNS server behind a NAT? It's a bit nonsensical...


    Not at all. I run a recursive validating resolver on my laptop, and
    it's always behind a NAT, whether I'm at home or at a coffee shop--how
    else? I also have a dedicated resolver behind my home NAT; with eight
    computers on my home network, and $75/year for each additional IP address,
    it makes sense (to me, anyway) to do things that way.

    Yesterday I discovered that the router I'm using at home was reassigning
    BIND's nicely randomized ports into a very predictable pattern. I upgraded
    the firmware and the situation is improved; now the ports are reassigned to
    pseudorandom values--but I know nothing about the quality of the PRNG.

    I'll be happier when I replace the router.

    --
    Evan Hunt -- evan_hunt@isc.org
    Internet Systems Consortium, Inc.


+ Reply to Thread