My question is regarding the recent DNS cache poisoning vulnerability (www.doxpara.com), and the use of NAT devices such as the Cisco CSS 11501. This vulnerablity does not exist for some DNS server packages (i.e. DJBNDS), but I have read suggestions that NAT devices, can make them vulnerable due to a low number of random source ports. Does anyone know how random the source ports are that are assigned by the CSS for DNS packets?
I'm not so sure that answers his question. The problem is that the NAT process can de-randomize source ports. The CSS might not be vulnerable per se (it's own resolver isn't vulnerable), but its use could very well result in other servers/resolvers being vulnerable.
Is it verified somewhere that CSS does randomize the ports?
My simple packet sniffing seems to indicate that the ports are being de-randomized, but I was hoping for a confirmation from someone with more knowledge about the CSS.
Also, is there a way to configure the CSS to not use PAT, and only NAT the IPs for our DNS servers. Since I know that our DNS servers/resolvers are generating random ports, I would like to just pass those ports through the CSS in both directions, and not PAT them.
"portmap disable" - Instructs the CSS to perform Network Address
Translation (NAT) only on the source IP addresses and not on the source
ports of "UDP traffic" hitting a particular source group.
I don't know diddely about the CSS, but presumably this can only work if your doing one-for-one NAT. Obviously if I have multiple clients hitting the same IP on the load balancer it has to deal with source ports.
I tried the "portmap disable" command on the source group for one of our DNS servers, and the DNS server stopped working. Is there perhaps something else that has to be configured in addition to this (ACLs, flow and port mapping parameters, destination services ... )? My knowledge is a little foggy in this area.
Also, a quick run-down on our setup. Each of our DNS servers has a one-to-one NAT setup, with a single external IP on the Internet mapped to a single internal IP behind the CSS. When one of our customers query a DNS server for something that is not in its cache, then our DNS server (behind CSS) needs to query another DNS server on the Internet to get the information. It is here that the problem arises. Our DNS server nicely picks a random port, and then sends its request to port 53 on the other server on the Internet. However, the CSS changes this port to a less random one, before it sends the packet out. I too though the "portmap disable" would solve this, but it seemed to break our DNS server.
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
==================== VIC FNIC driver does not support Virtual Volumes (
second level LUN ID ) An enhancement request has been created to track
this feature - CSCux64473 UPDATE - 12-14-2016 We made some traction on
the enhancement request - The Fix is in t...