1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS Cache poison check

Discussion in 'Tomato Firmware' started by pfoomer, Jul 24, 2008.

  1. pfoomer

    pfoomer LI Guru Member

    Hi

    After all the DNS cache poison news, I did a check (http://www.doxpara.com/) and got this.

    Your name server, at xxx.xxx.xxx.xxx, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 250.
    Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds.

    I don't understand the significance of statement regarding the NAT/Firewall, can anyone enlighten me?

    Tks
     
  2. digerat1

    digerat1 Addicted to LI Member

  3. Rudi1

    Rudi1 Network Guru Member

    With Tomato 1.21 I have this results:

    DNS Resolver(s) Tested:
    1xx.1xx.1xx.1xx appears to have GREAT source port randomness and GREAT transaction ID randomness.

    Test time: 2008-07-27 09:29:08 UTC
     
  4. digerat1

    digerat1 Addicted to LI Member

    From what I have read the vulnerability only applies to your DNS Server and/or Client, Tomato by default does not run a DNS server, but does have DNSmasq as an option to do so. In most cases the vulnerability directly targets the ISP DNS servers as those are dynamically assigned to ones Gateway. The local vulnerability only matters if you use specific editions of windows and the 'DNS Client' service is running.

    Therefore the results of these tests will depend on your ISP and edition of Windows if you're not using Tomato to host a DNS server; we could all be running the same firmware and get different results.

    http://secunia.com/advisories/30925/
    http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx

    I hope I have that right, please correct me if I am wrong. :)
     
  5. guillaumy

    guillaumy LI Guru Member

    "When in doubt, patch" is what I'd say :wink:
     
  6. pfoomer

    pfoomer LI Guru Member

    Well I may go up a release, however, the

    Your name server, at xxx.xxx.xxx.xxx, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 250.

    bit was what I was concerned about.

    I assume its talking about my NAT/Firewall because the one in the modem is off, unless its my ISP?

    Out of curiosity, can any one tell me what settings they have for

    DHCP / DNS Server
    Use Internal Caching DNS Forwarder
    Use Received DNS With Static DNS
    Intercept DNS Port
    (UDP 53)


    Tks

    Edit

    Duh, blonde hair stupid girly day. :wall:

    The NAT in the modem was on, so now I get

    Your name server, at xxx.xxx.xxx.xxx, appears to be safe, but make sure the ports listed below aren't following an obvious pattern :)1001, :1002, :1003, or :30000, :30020, :30100...).

    Hum, hope I never need to use the modem as a router (cos Linksys still havent responded/fixed another buglet)
     

Share This Page