cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
587
Views
0
Helpful
6
Replies

CSS 11501 and DNS Vulnerability

pncisco216
Level 1
Level 1

My question is regarding the recent DNS cache poisoning vulnerability (www.doxpara.com), and the use of NAT devices such as the Cisco CSS 11501. This vulnerablity does not exist for some DNS server packages (i.e. DJBNDS), but I have read suggestions that NAT devices, can make them vulnerable due to a low number of random source ports. Does anyone know how random the source ports are that are assigned by the CSS for DNS packets?

6 Replies 6

As per the official statement CSS is not affected. Only GSS (only if CNR is enabled) is

affected.

Details at

http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml

Syed Iftekhar Ahmed

I'm not so sure that answers his question. The problem is that the NAT process can de-randomize source ports. The CSS might not be vulnerable per se (it's own resolver isn't vulnerable), but its use could very well result in other servers/resolvers being vulnerable.

Is it verified somewhere that CSS does randomize the ports?

Yes, this is the question that I was asking.

My simple packet sniffing seems to indicate that the ports are being de-randomized, but I was hoping for a confirmation from someone with more knowledge about the CSS.

Also, is there a way to configure the CSS to not use PAT, and only NAT the IPs for our DNS servers. Since I know that our DNS servers/resolvers are generating random ports, I would like to just pass those ports through the CSS in both directions, and not PAT them.

CSS uses some hashing mecanism (using both source & destination ports)

to pickup the source port (for source nat).

By default, PAT or port mapping is enabled for source groups on source ports

greater than 1023. The CSS translates such source ports to a range starting

at 2016.This can be changed using

You can change the base port and also change the number of ports

(config-group[group])#portmap base-port

(config-group[group])#portmap number-of-ports <#>

Option to keep source ports intact is available for UDP traffic.

"portmap disable" - Instructs the CSS to perform Network Address

Translation (NAT) only on the source IP addresses and not on the source

ports of "UDP traffic" hitting a particular source group.

Configuring Source Group Port Mapping

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/c

ss11500series/v8.10/configuration/content_lb/guide/SGrp.html#wp1150100

Syed Iftekhar Ahmed

Good info. One additional note:

"portmap disable" - Instructs the CSS to perform Network Address

Translation (NAT) only on the source IP addresses and not on the source

ports of "UDP traffic" hitting a particular source group.

I don't know diddely about the CSS, but presumably this can only work if your doing one-for-one NAT. Obviously if I have multiple clients hitting the same IP on the load balancer it has to deal with source ports.

I tried the "portmap disable" command on the source group for one of our DNS servers, and the DNS server stopped working. Is there perhaps something else that has to be configured in addition to this (ACLs, flow and port mapping parameters, destination services ... )? My knowledge is a little foggy in this area.

Also, a quick run-down on our setup. Each of our DNS servers has a one-to-one NAT setup, with a single external IP on the Internet mapped to a single internal IP behind the CSS. When one of our customers query a DNS server for something that is not in its cache, then our DNS server (behind CSS) needs to query another DNS server on the Internet to get the information. It is here that the problem arises. Our DNS server nicely picks a random port, and then sends its request to port 53 on the other server on the Internet. However, the CSS changes this port to a less random one, before it sends the packet out. I too though the "portmap disable" would solve this, but it seemed to break our DNS server.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: