News: This forum is now permanently frozen.
Pages: [1]
Topic: huge DNS flaw patch  (Read 5469 times)
« on: July 10, 2008, 09:01:36 »
linuxamp
Guest

Is Monowall affected by the huge DNS flaw that's being patched by all DNS vendors?  If so, when can we expect a patch?

I hate to sound pushy but it sounds like it's an important update.

http://www.securityfocus.com/news/11526
« Reply #1 on: July 10, 2008, 09:10:23 »
Manuel Kasper
Administrator
*****
Posts: 364

http://m0n0.ch/wall/list/showmsg.php?id=346/28
« Reply #2 on: July 10, 2008, 09:35:25 »
linuxamp
Guest

Sweet...  Thanks!
« Reply #3 on: July 24, 2008, 17:36:48 »
rcpao *
Posts: 4


http://www.doxpara.com/ has a DNS CHECKER to test the randomness suggesting it's not random enough.

Your name server, at #.#.#.#, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 84.

Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds.
Requests seen for 387482d011b6.toorrr.com:
#.#.#.#:6106 TXID=31065
#.#.#.#:6143 TXID=43782
#.#.#.#:6155 TXID=2043
#.#.#.#:6080 TXID=26648
#.#.#.#:6071 TXID=8991

Apparently, someone decided it is a problem:
http://secunia.com/advisories/31197/
« Last Edit: July 24, 2008, 17:53:37 by rcpao »
« Reply #4 on: July 24, 2008, 18:59:55 »
Manuel Kasper
Administrator
*****
Posts: 364

http://www.doxpara.com/ has a DNS CHECKER to test the randomness suggesting it's not random enough.

Your name server, at #.#.#.#, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 84.

And what was that masked out name server IP address ("#.#.#.#")? I'm pretty sure it wasn't your m0n0wall's, as Dnsmasq doesn't do recursive queries by itself, and always forwards them to the configured upstream DNS servers instead. So in that case it's likely your upstream DNS server that doesn't choose ports randomly (enough).

Or are you running a DNS server behind m0n0wall?
« Reply #5 on: August 18, 2008, 18:49:44 »
slick *
Posts: 8

I'm having a dns resolution issue since updating to the latest version 1.234.
Anyone else?

I'm just using a net4801 at home with a couple of game ports forwarded.
When I downgrade to the next available version 1.232 Problems are gone.
 Huh
« Reply #6 on: August 19, 2008, 08:14:21 »
Manuel Kasper
Administrator
*****
Posts: 364

I'm having a dns resolution issue since updating to the latest version 1.234.
Anyone else?

I'm just using a net4801 at home with a couple of game ports forwarded.

What exactly do you mean with "a couple of game ports"? Whole ranges of several hundred ports? Because otherwise it shouldn't really matter...
« Reply #7 on: August 19, 2008, 15:25:22 »
slick *
Posts: 8

Well maybe a few more than a couple.

The only only thing with a wide range of ports is SIP
This is what I have forwarded. Hope it helps


WAN TCP 8080 192.168.44.102 8080
WAN TCP 8081 192.168.44.105 80(HTTP) cam
WAN TCP/UDP 21705 192.168.44.7 21705 RealFlight
WAN TCP/UDP 2032 192.168.44.7 2032 RealFlight
WAN TCP/UDP 2302 192.168.44.7 2302 RealFlight
WAN TCP/UDP 2303 192.168.44.77 2303 RealFlight
WAN TCP/UDP 21646 192.168.44.102 21646 torrent
WAN UDP 5060-5061 192.168.44.21 5060-5061 SIP
WAN UDP 10000-20000 192.168.44.21 10000-20000 SIP Stream

BTW. The problem I have with the new version is random websites will resolve fine one moment and not the next....google.com or apple.com

or should I say not resolve first and resolve fine with a second try.
« Reply #8 on: August 19, 2008, 23:11:42 »
Manuel Kasper
Administrator
*****
Posts: 364

WAN UDP 10000-20000 192.168.44.21 10000-20000 SIP Stream

Well, if you forward 10000 ports (out of 65535 possible), then the chances of Dnsmasq choosing a forwarded port (and hence not getting the reply from the upstream DNS server) are quite high.

Either reduce the size of that port range (usually just a handful of RTP ports are fine for VoIP devices, but make sure you configure the device accordingly), or change the range of ports available for random selection on the System: Advanced page to a dedicated range (e.g. 22000-64535).

Maybe we should try to come up with a way to avoid forwarded ports from being chosen by Dnsmasq...
« Reply #9 on: August 21, 2008, 02:18:04 »
slick *
Posts: 8

Ahhh.
It all makes sense now.

I upgraded and reduced the number of ports used by sip.
Everything is fine now. Tho I suppose one of the forwarded ports could get caught in the Dnsmasq... I can live with it.

It would be a good thing to avoid the forwarded ports. Some people can have lots of ports for legitimate reasons.

It was several years ago when I set up the sip ports. I think it was for asterisk server to asterisk server or something. I'm not using it anymore and don't need so many ports.

Manual,
Thanks sooo much for the response and the best firewall ever.
I hope I contributed something to make M0n0wall better Smiley
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines