EFW & DNS cache poisoning flaw

Hello everyone,

My LAN is behind an endian firewall box (v.1.1). I upgraded my local DNS
servers (bind9) to prevent dns cache poisonning. 
My local DNS are configured to forward to OpenDNS servers for the "outside"
servers.

When I perform a test (e.g. on doxpara website), it seems that i'm still
vulnerable.
I browsed this forum and upgraded dnsmasq to version 2.43, but it doesn't
seem to fix my problem.
It seems that the EFW box cancels the benefit of random udp source ports on
the bind9 servers;

Can anyone help me with this issue ?
Thanks

ps: I can upgrade to a newer version of EFW if necessary, but I want to be
sure this will solve the problem, since it involves interrupting internet
access for some time.

--

-- 
View this message in context: http://www.nabble.com/EFW---DNS-cache-poisoning-flaw-tp18771635p18771635.html
Sent from the efw-user mailing list archive at Nabble.com.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world

Re: EFW & DNS cache poisoning flaw

sysucl wrote:
> Hello everyone,
> 
> My LAN is behind an endian firewall box (v.1.1). I upgraded my local DNS
> servers (bind9) to prevent dns cache poisonning. 
> My local DNS are configured to forward to OpenDNS servers for the "outside"
> servers.
> 
> When I perform a test (e.g. on doxpara website), it seems that i'm still
> vulnerable.
> I browsed this forum and upgraded dnsmasq to version 2.43, but it doesn't
> seem to fix my problem.
> It seems that the EFW box cancels the benefit of random udp source ports on
> the bind9 servers;
> 
> Can anyone help me with this issue ?
> Thanks
> 
> ps: I can upgrade to a newer version of EFW if necessary, but I want to be
> sure this will solve the problem, since it involves interrupting internet
> access for some time.
> 
> 

I double checked the DNSmasq upgraded EFW I have deployed and did my 
local patched server and the results from Doxpara come back the same. It 
says it appears to be fine but to check this list and then shows some 
port numbers [which do not seem to change by the way.]

Another test is to use dns-oarc.net

Re: EFW & DNS cache poisoning flaw

Mike Tremaine wrote:
> sysucl wrote:
>> Hello everyone,
>>
>> My LAN is behind an endian firewall box (v.1.1). I upgraded my local DNS
>> servers (bind9) to prevent dns cache poisonning. 
>> My local DNS are configured to forward to OpenDNS servers for the "outside"
>> servers.
>>
>> When I perform a test (e.g. on doxpara website), it seems that i'm still
>> vulnerable.
>> I browsed this forum and upgraded dnsmasq to version 2.43, but it doesn't
>> seem to fix my problem.
>> It seems that the EFW box cancels the benefit of random udp source ports on
>> the bind9 servers;
>>
>> Can anyone help me with this issue ?
>> Thanks
>>
>> ps: I can upgrade to a newer version of EFW if necessary, but I want to be
>> sure this will solve the problem, since it involves interrupting internet
>> access for some time.
>>
>>
> 
> I double checked the DNSmasq upgraded EFW I have deployed and did my 
> local patched server and the results from Doxpara come back the same. It 
> says it appears to be fine but to check this list and then shows some 
> port numbers [which do not seem to change by the way.]
> 

Re: EFW & DNS cache poisoning flaw

Mike Tremaine wrote:
> 
> 
> 
> I double checked the DNSmasq upgraded EFW I have deployed and did my 
> local patched server and the results from Doxpara come back the same. It 
> says it appears to be fine but to check this list and then shows some 
> port numbers [which do not seem to change by the way.]
> 
> Another test is to use dns-oarc.net
> 
> dig +short porttest.dns-oarc.net TXT
> 
> In windows you can use nslookup
>  > nslookup
>  > set type=txt
>  > porttest.dns-oarc.net
> 
> 
> As far as I can tell the new version of DNSmasq does help but remember 
> that it has to ask an upstream DNS server and word is that lots of ISP's 
> have failed to do the upgrade.
> 
> -Mike
> 
> 
> 

Hi,

Re: EFW & DNS cache poisoning flaw

Mike Tremaine wrote:
> 
> 
> PS - There seems to be a DNSmasq 2.45 out which obviously I better build 
> into an RPM. :/
> 
> 
> 

I tried it this morning (just replaced the binary on my efw box, to give it
a try).
I had a look at the changelog, and obviously the flaw was fixed in 2.43 so I
don't know if it's relevant to upgrade to 2.45 (for the flaw problem,
anyway. there might be other improvements in 2.45, though)
--

-- 
View this message in context: http://www.nabble.com/EFW---DNS-cache-poisoning-flaw-tp18771635p18775281.html
Sent from the efw-user mailing list archive at Nabble.com.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Building software in/for Endian Firewall machine

Hello,

What is the preferred way to build software in Endian or for Endian? I
realise there's no compiler and compiler tools installed by default. Is
there any way to install them? Can I compile the software on another
machine and then transfer it to the Endian machine? If so, do you
recommend any distribution in particular or any other method?

Thank you in advance.

Best regards,
Henrique Rodrigues

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: EFW & DNS cache poisoning flaw

sysucl wrote:
> 
> 
> 
> I get strange results.
> 
> I tried with dnsmasq 2.43, but the quety times out, it tells me it can't
> find the name server.
> On the efw box, i killed dnsmasq, and launched it again, but without the
> arguments from the rc file.
> #killall dnsmasq && dnsmasq
> 

The reload script [in Endian 2.0] is /etc/rc.d/rc.dnsmasq

> 
> If I run this from my primary dns:
> #dig +short porttest.dns-oarc.net TXT
> It tells me my dns security is POOR
> "x.y.z.w is POOR: 26 queries in 5.0 seconds from 26 ports with std dev 7"
> 
> 
> But if i try
> #dig  <at> firewall +short porttest.dns-oarc.net TXT
> "208.69.34.8 is GREAT: 26 queries in 4.0 seconds from 26 ports with std dev
> 19093"
> ( <at> firewall is my efw)
> I think 208.69.34.8 must belong to openDNS.
> So I'm a bit confused, i tried to forward the dns queries to my efw, but it
> doesn't make the trick.

Re: EFW & DNS cache poisoning flaw

Mike Tremaine wrote:
> 
> 
> I can dig at the efw box and it works like you showed.
> 
> [mgt <at> dwarfstar ~]$ dig  <at> 192.168.42.51 +short porttest.dns-oarc.net TXT
> porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
> "66.166.188.8 is GREAT: 26 queries in 0.8 seconds from 26 ports with std 
> dev 17631"
> 
> I just posted the 2.45 rpm also. So it seems to be working. Make sure 
> your DNS settings in DHCP are correct [I have it pointing to itself for
> DNS]
> 

I upgraded to dnsmasq 2.45 (just in case. thanks for the rpm). I restarted
dnsmasq using the script you mentionned.

My primary dns runs on the same machine as my dhcp server, and it is
different from the efw box. That seems to be quite different from your setup
:/
(So the dhcp on the efw is disabled, of course.)

I get the same results :
#dig  <at> firewall +short porttest.dns-oarc.net TXT
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"208.69.34.8 is GREAT: 26 queries in 4.0 seconds from 26 ports with std dev
19193"

Re: Building software in/for Endian Firewall machine

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
Efw-user mailing list
Efw-user@...
https://lists.sourceforge.net/lists/listinfo/efw-user

Re: Building software in/for Endian Firewall machine

on 8-1-2008 8:48 AM Jorge Schrauwen spake the following:
> I'm not sure but I think you can use the fedora rpm's to intall 
> development tools.
> 
> ~Jorge
I think he means install the development tools on a SEPARATE box, not on your 
firewall.

--

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
Efw-user mailing list
Efw-user@...
https://lists.sourceforge.net/lists/listinfo/efw-user