[Dshield] BIND patches

Andre Costa brblueser at uol.com.br
Fri Nov 15 01:58:50 GMT 2002

Hi Johannes,

On Thu, 14 Nov 2002 09:14:28 -0500
Johannes Ullrich <jullrich at euclidian.com> wrote:

> The setup is reasonable (other than that you may want to consider
> chrooting). If you use iptables or another statefull firewall, you
> could try and setup only outbound connections to your ISPs name
> servers. I am not sure if this vulnerability could be exploited with
> UDP, but if it thats the case, the source of the exploit packet could
> be spoofed.

You're right, and I had thought about it, too. The thing is that I
sometimes receive requests from my nameservers (don't know exactly why,
it seems to be related to traceroutes I perform), like this one:

Nov 11 12:13:49 shadow kernel: Dropping: IN=eth0 OUT= MAC=00:e0:7d:cd:61:6b:00:0
5:5f:ea:1c:70:08:00 SRC= DST= LEN=66 TOS=0x00 PREC=0
x00 TTL=248 ID=23016 DF PROTO=UDP SPT=53 DPT=32871 LEN=46 

Destination port is random in these cases, and it seems to agree with
what is said in http://www.robertgraham.com/pubs/firewall-seen.html#1.2
. That is why I adopted the policy I described. But then again I am the
first to admit that if a hacker were able to spoof its IP to make it
"impersonate" my nameserver, I would be accepting UDP traffic from his
port 53 indeed.

So, what should I do? Should I simply drop such requests from my
nameserver? What could be the side effects?

> I am using BIND... haven't used anything else so far. But there is
> djbdns ( http://djbdns.com/ ) from the guy that wrote qmail. I do use
> qmail but am not a big fan of it.

I have heard the other day about tinydns (
http://cr.yp.to/djbdns/tinydns.html) on Slashdot, but I don't really
have any opinion about it (someone was commenting this BIND exploit
we're talking about and said he was thankful he uses tinydns instead)

> I think there are a couple of minimal DNS servers that do just
> caching. See freshmeat.net for a list.

I might do it, but you've encouraged me to insist a little further with
BIND9 ;) (and chroot!)

Thks for the ideas.



Andre Oliveira da Costa

More information about the list mailing list