[LINK] Does your ISP randomize the DNS source port?

[Karl Auer]

On Tue, 2008-07-29 at 00:13 -0700, Scott Howard wrote:
> Karl Auer <kauer at biplane.com.au> wrote:
>         If you are behind a NAT device - and 99% of all home users are
>         - your NAT is almost certainly derandomising the port numbers
>         used. Only a test on the open Internet is really valid.
> 
> Unless your system is originating the DNS requests itself (ie, using
> the root servers rather than an upstream cache) then what the NAT does
> isn't relevant. Even if it does de-randomize the source port, it's
> only going to do it between the NAT router and your ISPs DNS server,
> not any further - and it's the next step that is being tested here. So
> in almost every single case this test is valid regardless of whether
> you're behind a NAT router or not.

Yeees. You are right; I badly misread the original question. The test
does validly test the ISP's nameserver. If someone is between you and
the ISP's DNS nameserver, though? Anyone issuing queries with
predictable port numbers is at risk, particularly if they cache
responses. This would presumably include the little forwarders in ADSL
routers and the like. I'm just speculating here, happy to be set
straight. In any case, I don't see how someone behind NAT has any
option, really.

I have servers on routable addresses, but an internal caching server
behind NAT. The latter nameserver was indeed turning up with
derandomised port numbers, even though it was patched. So I set it to
use my "real" nameservers via forwarding, and that solved the problem.

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)

GPG fingerprint: DD23 0DF3 2260 3060 7FEC 5CA8 1AF6 D9E3 CFEE 6B28
Public key at  : random.sks.keyserver.penguin.de