Re: [Bastille-linux-discuss] DNS caching exploit defense with iptables
This tool locks down Linux and UNIX systems.
Brought to you by:
jay
Menu
▾
▴
Re: [Bastille-linux-discuss] DNS caching exploit defense with iptables
|
From: Michael R. <mb...@ci...> - 2008-07-18 03:48:54
|
On Jul 16, 2008, Michael St. Laurent wrote: > Have you integrated this into your Bastille installation? Got a patch? Although I don't use the bastille-netfilter script, I've attached a patch that uses the --random option in the iptables MASQUERADE target (I'm not sure when this was first available, but it's in iptables-1.4.1.1) for all outbound DNS queries. If you have a chance, please let me know if there are any issues. You may want to verify that the UDP source port for outbound DNS queries is truly randomized on your external interface. Thanks, --Mike > -----Original Message----- > From: bas...@li... > [mailto:bas...@li...] On Behalf > Of Michael Rash > Sent: Tuesday, July 15, 2008 6:55 PM > To: bas...@li... > Subject: [Bastille-linux-discuss] DNS caching exploit defense with > iptables > > > Hi all - > > It's well known that Dan Kaminsky is going to present a significant > development regarding a caching exploit against DNS at Blackhat this > year. For anyone who has not patched their DNS servers, here is a > strategy for adding a single iptables "SNAT --random" rule to mitigate > the attack (for those DNS servers deployed on or behind a system running > Linux): > > http://www.cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-at > tacks-with-iptables.html > > -- > Michael Rash > http://www.cipherdyne.org/ > Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F > > ------------------------------------------------------------------------ > - > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge Build the coolest Linux based applications with Moblin SDK & > win great prizes Grand prize is a trip for two to an Open Source event > anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > bastille-linux-discuss mailing list > bas...@li... > https://lists.sourceforge.net/lists/listinfo/bastille-linux-discuss |
