thinking sysadmin » nat http://andyleonard.com qstat -u aleonard -s z Fri, 30 Jul 2010 17:47:40 +0000 http://wordpress.org/?v=2.9.1 en hourly 1 Thought you fixed that DNS spoofing bug? You might need to think again. http://andyleonard.com/2008/07/27/thought-you-fixed-that-dns-spoofing-bug-you-might-need-to-think-again/ http://andyleonard.com/2008/07/27/thought-you-fixed-that-dns-spoofing-bug-you-might-need-to-think-again/#comments Sun, 27 Jul 2008 15:14:21 +0000 Andy http://andyleonard.com/?p=55 So you thought you fixed the DNS spoofing vulnerability that was all over the news this month? You applied the patches and moved on to the other fifty-seven things crowded on your to-do list, thinking that you were safe? If your resolvers are behind a NAT, you might want to think again, smart guy.

In a nutshell, your handy-dandy NAT box is quite possibly making your resolver’s now-random UDP source ports sequential, making you vulnerable again. The only “vendors” I’m aware of that don’t have this issue are Linux’s IPTables and OpenBSD’s PF (also available on FreeBSD, of course) – funny that, since those guys aren’t really vendors at all. I could be just ignorant or looking in the wrong place, but this doesn’t even seem to be on Cisco’s radar right now, for example.

The tester in the sidebar at DoxPara Research seems to do a good job of testing your configuration end-to-end for this vulnerability.

(File this under “Just another reason why NAT is evil.”)

]]> http://andyleonard.com/2008/07/27/thought-you-fixed-that-dns-spoofing-bug-you-might-need-to-think-again/feed/ 0