Re: DNS cache poisoning - Wake up everyone!

In article
<1il8jxz.13fb9m81ch1fsqN%usenet@xxxxxxxxxxxxxxxxxxxxxxxxxxx>, James
Taylor <usenet@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Elliott Roper <nospam@xxxxxxxxx> wrote:

James Taylor <usenet@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Correct. You don't need to worry about your home router trying to be a
DNS resolver. However, you do need to worry about NAT routers in an
organisation that runs its own DNS resolvers behind a NAT because, even
if the resolver uses properly randomised UDP source ports, the NAT may
unrandomise them leaving it possible to exploit the predictability of
port numbering on the outside of the NAT. A company I consult for is
having exactly this problem, and there isn't yet a firmware update for
their Fortinet routers.

I think I have something similar with the village wireless mesh network
I use (and help look after)

Could you help me with this? Which part of the NAT is unrandomising?
Is it the ADSL router facing the outside, or something inside it port
forwards to? Or some combination? Clients inside the mesh see their
nearest access node as their DNS server. When I test with doxpara's
tool it reports on the external IP address the mesh faces the world
with, POOR showing a pathetically unrandom tiny range of ports in use.

If I use dig from my Mac to doxpara's tester and use the ISPs "manual"
DNS server address it reports GREAT. The mesh boxes are some sort of
stripped down linux which lacks a dig command, so I can't test from the
gateway node, to which I have no physical access.

I think the router is a Linksys something, which I see others whinging
about on this topic, although some of them sound as clueless as me.

--
To de-mung my e-mail address:- fsnospam$elliott$$
PGP Fingerprint: 1A96 3CF7 637F 896B C810 E199 7E5C A9E4 8E59 E248
.

Relevant Pages

  • Re: DNS cache poisoning - Wake up everyone!
    ... organisation that runs its own DNS resolvers behind a NAT because, ... it may not do so randomly, it may in fact simply increment source ports. ... That's a real shame if you're running a DNS resolver in the LAN, ... interface of a NAT router, and a third has an ADSL NAT router that is ...
    (uk.comp.sys.mac)
  • Re: Linksys router as Firewall
    ... >start-up cost) about routers and NAT. ... not support the use of anything other than a direct connection from ... that most of the kids haven't learned any of this rather simple stuff. ...
    (comp.security.firewalls)
  • Re: How to disable NAT on wireless router?
    ... >I've got two of these here wireless routers: ... and one downstairs with a phone and a computer. ... You don't need to turn off NAT, NAT is what converts your internal ... a wireless client, which is a whole different ballgame. ...
    (uk.telecom.broadband)
  • Re: Quad DSL
    ... I assumed he was using NAT. ... but AFAIK the NAT and load balancing functions in Cisco routers ...
    (comp.dcom.sys.cisco)
  • Re: software help needed
    ... That NAT must be used together with firewalls is one of the most ... widespread misconceptions about firewalls there is. ... many 'broadband routers' and because it tend to break things general ...
    (comp.security.firewalls)