CSS 11501 and DNS Vulnerability

Unanswered Question
Jul 25th, 2008
User Badges:

My question is regarding the recent DNS cache poisoning vulnerability (www.doxpara.com), and the use of NAT devices such as the Cisco CSS 11501. This vulnerablity does not exist for some DNS server packages (i.e. DJBNDS), but I have read suggestions that NAT devices, can make them vulnerable due to a low number of random source ports. Does anyone know how random the source ports are that are assigned by the CSS for DNS packets?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mhellman Fri, 07/25/2008 - 08:50
User Badges:
  • Blue, 1500 points or more

I'm not so sure that answers his question. The problem is that the NAT process can de-randomize source ports. The CSS might not be vulnerable per se (it's own resolver isn't vulnerable), but its use could very well result in other servers/resolvers being vulnerable.

Is it verified somewhere that CSS does randomize the ports?

pntbaytel Fri, 07/25/2008 - 09:35
User Badges:

Yes, this is the question that I was asking.

My simple packet sniffing seems to indicate that the ports are being de-randomized, but I was hoping for a confirmation from someone with more knowledge about the CSS.

Also, is there a way to configure the CSS to not use PAT, and only NAT the IPs for our DNS servers. Since I know that our DNS servers/resolvers are generating random ports, I would like to just pass those ports through the CSS in both directions, and not PAT them.

Syed Iftekhar Ahmed Fri, 07/25/2008 - 11:10
User Badges:
  • Blue, 1500 points or more

CSS uses some hashing mecanism (using both source & destination ports)

to pickup the source port (for source nat).

By default, PAT or port mapping is enabled for source groups on source ports

greater than 1023. The CSS translates such source ports to a range starting

at 2016.This can be changed using

You can change the base port and also change the number of ports

(config-group[group])#portmap base-port

(config-group[group])#portmap number-of-ports <#>

Option to keep source ports intact is available for UDP traffic.

"portmap disable" - Instructs the CSS to perform Network Address

Translation (NAT) only on the source IP addresses and not on the source

ports of "UDP traffic" hitting a particular source group.

Configuring Source Group Port Mapping



Syed Iftekhar Ahmed

mhellman Fri, 07/25/2008 - 11:18
User Badges:
  • Blue, 1500 points or more

Good info. One additional note:

"portmap disable" - Instructs the CSS to perform Network Address

Translation (NAT) only on the source IP addresses and not on the source

ports of "UDP traffic" hitting a particular source group.

I don't know diddely about the CSS, but presumably this can only work if your doing one-for-one NAT. Obviously if I have multiple clients hitting the same IP on the load balancer it has to deal with source ports.

pntbaytel Fri, 07/25/2008 - 11:44
User Badges:

I tried the "portmap disable" command on the source group for one of our DNS servers, and the DNS server stopped working. Is there perhaps something else that has to be configured in addition to this (ACLs, flow and port mapping parameters, destination services ... )? My knowledge is a little foggy in this area.

Also, a quick run-down on our setup. Each of our DNS servers has a one-to-one NAT setup, with a single external IP on the Internet mapped to a single internal IP behind the CSS. When one of our customers query a DNS server for something that is not in its cache, then our DNS server (behind CSS) needs to query another DNS server on the Internet to get the information. It is here that the problem arises. Our DNS server nicely picks a random port, and then sends its request to port 53 on the other server on the Internet. However, the CSS changes this port to a less random one, before it sends the packet out. I too though the "portmap disable" would solve this, but it seemed to break our DNS server.


This Discussion