More on DNS Cache Poisoning and Network Address Translation
Posted by Tom Cross on July 14, 2008 at 7:52 PM EDT.
This blog post is a followup to an earlier note I posted about the effect of different NAT devices on the recent DNS vulnerability patches. A reader named Huzeyfe ONAL wrote in to let me know that he had tested his OpenBSD machine running pf and found that each UDP session seemed to be assigned a different, random port. Several references online seem to confim this. This provides another example of a secure NAT strategy, besides the one employed by Linux.
Whats interesting about this strategy is that, based on what has been disclosed so far about Dan Kaminsky's new DNS Cache Poisoning attack, it seems likely that unpatched DNS servers behind NAT devices that behave like this may not be vulnerable. So, on the one hand, a helpful NAT that selects cryptographically random source ports can help protect a vulnerable application running behind it that selects ports predictibly, but on the other hand a NAT that selects ports sequentially breaks the security of applications behind it that depend on random port selection. So, your mitigation strategy may depend significantly on what sort of NAT you have.
More on this story as it develops, but unless someone who knows the details of this attack confirms otherwise, I would not rest a decision not to patch a vulnerable DNS server behind an OpenBSD pf NAT on the (educated) speculation you read here. You are always better off if you patch.
Also, if you are a developer of NAT devices or software and you are looking for guidance there is an excellent Internet Draft available which discusses various strategies for random network port assignment and their various merits. Don't miss it.