public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: Andrew Sullivan <[email protected]>
Cc: [email protected]
Subject: Re: Insecure DNS servers on PG infrastructure
Date: Fri, 25 Jul 2008 16:44:32 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
Andrew Sullivan <[email protected]> writes:
> On Fri, Jul 25, 2008 at 11:02:03AM -0400, Tom Lane wrote:
>> If it says FAIR or POOR then you have an unpatched server or there
>> is something interfering with the port randomization. If the server
>> is behind a NAT firewall then the latter is entirely likely.
> There's no reason that a NAT should do that, if the device is
> competently built: if you randomise source ports on the inside, the
> NAT device could just use the same port on the outside.
I'm not convinced that that's true. If the router is trying to forward
UDP messages arriving from several "inside" IP addresses using only one
"outside" address, it has to deal with the possibility of collisions,
ie two "inside" addresses using the same port number at about the same
time. So it doesn't surprise me that it rewrites the port numbers.
If it assigned randomly-generated substitute numbers there'd be no
problem, but with no prior knowledge that would be a good idea you can
hardly blame the router authors for not indulging in extra complexity.
What I do know is that my own firewall hardware (a Netopia T1 router
that's two or three years old) *was* rewriting UDP port numbers on
requests from a machine that was sharing a NAT address with others.
After remapping to give that machine its own "outside" IP address,
it stopped doing so. BTW the porttest.dns-oarc.net service was
invaluable in testing this; I'd probably have thought that just
installing the new BIND made me safe, if I hadn't had a way to test it.
regards, tom lane
view thread (11+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: Insecure DNS servers on PG infrastructure
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox