Correct me if I'm wrong but from my understanding doesn't the new BIND randomize outgoing source ports only? - If so then if you have your firewall to allow established connections you should be all set. P.A > -----Original Message----- P.A > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On P.A > Behalf Of John Hinton P.A > Sent: Wednesday, July 23, 2008 12:41 PM P.A > To: CentOS mailing list P.A > Subject: Re: [CentOS] Bind Firewall Rules P.A > P.A > nate wrote: P.A > > John Hinton wrote: P.A > > P.A > >> Do I just ask really hard questions or are my questions just not P.A > clear? P.A > >> There has to be others on this list that are running nameservers P.A > via P.A > >> CentOS. This seems to be a nasty issue that we who are running bind P.A > need P.A > >> to get right. P.A > >> P.A > > P.A > > And the fix is really stupid for those running name servers behind P.A > firewalls. P.A > > P.A > > I can't say I'm an expert on this particular issue but from what P.A > I've P.A > > read it seems like the attack depends on being able to send queries P.A > to P.A > > the name server in question in order to predict the IDs that the P.A > system P.A > > is generating. P.A > > P.A > > The way my DNS is setup at home is that I have 2 "external" name P.A > servers P.A > > that do not allow recursion for domains that they are not P.A > responsible P.A > > for other than for a couple trusted IPs(all of which are local). My P.A > > main caching name server is internal to my network and cannot be P.A > directly P.A > > queried from the internet. As such I think my exposure is pretty P.A > low. P.A > > All of my name servers are setup to force their source port to be P.A > 53, P.A > > I really really don't like the idea of opening up tens of thousands P.A > of P.A > > ports back to my name servers. P.A > > P.A > > So I suspect, if your caching name servers are only vulnerable if P.A > they P.A > > can be sent queries from the attacker. If your internal network is P.A > > trusted then I think your fairly safe as long as you don't allow P.A > > access to the caching name servers externally. And of course run P.A > > dedicated name servers for authoritative hosting. P.A > > P.A > > I plan to have a similar setup at my company, the external P.A > authoritative P.A > > servers are not behind a firewall(F5 Global traffic managers), the P.A > > internal ones are not accessible outside the network. DNS cache P.A > > poisoning is the least of my worries if an attacker has access to P.A > the P.A > > internal network. P.A > > P.A > > nate P.A > > P.A > > P.A > I'm running caching nameservers on almost all of my systems and then P.A > also three nameservers. All are available publicly. I too had hard P.A > coded P.A > bind to port 53. I also had specifically opened port 53 through the P.A > firewall. But now, it appears that using only port 53 is a bad thing. P.A > From what I read, both the port and the ID need to change to be P.A > secure P.A > (even this is just security through obscurity). It's sounding like P.A > I'll P.A > need to open a port range, but I don't know what a 'good practice' P.A > will be. P.A > P.A > I read through the redhat notes, googled and read all over the place. P.A > All I seem to find is to remove the named.conf line that forces bind P.A > through port 53 and then statements like 'your firewall will need to P.A > be P.A > adjusted accordingly', with no good suggestions for how to do this. P.A > P.A > So, I'm faced with turning off the firewall to show good external P.A > testing on bind.... sort of like unlocking every window and door to a P.A > house, in order try to keep someone from trying to open just one. P.A > P.A > John Hinton P.A > _______________________________________________ P.A > CentOS mailing list P.A > CentOS at centos.org P.A > http://lists.centos.org/mailman/listinfo/centos