Re: iptables, NAT, DNS & Dan Kaminsky

From: Willy Tarreau <w@xxxxxx>
Date: Wed, 30 Jul 2008 21:55:48 +0200

On Wed, Jul 30, 2008 at 04:53:57PM +0200, Richard Hartmann wrote:

Hi all,

as you are very likely all aware, Dan Kaminsky uncovered a major exploit
in RFC-compliant DNS caching servers the successful execution of which
relies on port prediction/guessing.

After quite some research, I have come up with the following facts which
I want to cross-check with you guys so I can be _sure_.

1) The --random target for SNAT exists since 2.6.22 to allow 'fixing' of
broken DNS servers in your NATted LAN along the lines of

iptables -t nat -I POSTROUTING 1 -p udp -s 1.2.3.4 --dport 53 -j SNAT \
--to 1.2.3.4 --random

Is that correct?

2) Unless there is a collision, the original UDP source ports for
requests are kept the same. I.e. boxes within the NATted LAN which use
random UDP ports are secure and neither the 2.4.x nor the 2.6.x series
of kernels will make those ports predictable while NATting the packets.
Is that correct?

3) Ever since a commit that went into 2.6.24 [1], UDP ports that are
NATted are randomized by the NATting forewarder, anyway. This means that
any DNS lookup made from within a NATted LAN secured with iptables to a
DNS server outside of said NAT is secure by default.
Is that correct?

Thanks for any and all input. I am sure many people would like
clarification on those points.

Richard,

you should re-post your question to relevant lists. I think that
the netfilter ML would be more appropriate. The list you posted to
is about Linux kernel development, which has nothing to do with
how to setup iptables rules, so I don't think you'll find useful
answers here, if any. And BTW I don't think that many of the people
reading LKML care a dime about the "exploit" for poorly configured
DNS servers.

Regards,
Willy

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Follow-Ups:
- Re: iptables, NAT, DNS & Dan Kaminsky
  - From: Richard Hartmann

References:
- iptables, NAT, DNS & Dan Kaminsky
  - From: Richard Hartmann

Prev by Date: Re: [patch 3/3] kmsg: convert xpram messages to kmsg api.
Next by Date: Re: [PATCH 1/1] cpumask: Change cpumask_of_cpu to use cpumask_of_cpu_map
Previous by thread: iptables, NAT, DNS & Dan Kaminsky
Next by thread: Re: iptables, NAT, DNS & Dan Kaminsky
Index(es):
- Date
- Thread

Relevant Pages

Re: Win32 The RPC server is unavailable
... correct DNS servers and the port are unblocked. ... WMI errors the seem to be RPC related. ... All od the port are unblocked between the servers and the ... Usually RPC errors are due to name resolution or blocked ports. ...
(microsoft.public.windows.server.networking)
Re: Really Odd TCP/IP Issue - Help!
... Telnetting into any of the ports gives an unable to connect error. ... The site's been up for years so DNS entries are fully propagated. ... >> and have eliminated DNS issues by using the ISP's servers. ...
(microsoft.public.win2000.networking)
iptables, NAT, DNS & Dan Kaminsky
... in RFC-compliant DNS caching servers the successful execution of which ... I.e. boxes within the NATted LAN which use ... random UDP ports are secure and neither the 2.4.x nor the 2.6.x series ...
(Linux-Kernel)
Re: OWA front end server in the DMZ
... > Exchange servers on your lan. ... You could narrow it down to about 8 ports ... > allowing it to attack other resources outside of AD, DNS, and Exchange ...
(microsoft.public.exchange.design)
Re: Help SMPT Errors
... FAIL Reverse DNS entries for MX records ERROR: The IP of one or more of your ... it may mean that your DNS servers did not respond fast enough). ... INFO NS records at parent servers Your NS records at the parent servers ... PASS Parent nameservers have your nameservers listed OK. ...
(microsoft.public.exchange.admin)