07-25-2008 06:19 AM
My question is regarding the recent DNS cache poisoning vulnerability (www.doxpara.com), and the use of NAT devices such as the Cisco CSS 11501. This vulnerablity does not exist for some DNS server packages (i.e. DJBNDS), but I have read suggestions that NAT devices, can make them vulnerable due to a low number of random source ports. Does anyone know how random the source ports are that are assigned by the CSS for DNS packets?
07-25-2008 08:38 AM
As per the official statement CSS is not affected. Only GSS (only if CNR is enabled) is
affected.
Details at
http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml
Syed Iftekhar Ahmed
07-25-2008 08:50 AM
I'm not so sure that answers his question. The problem is that the NAT process can de-randomize source ports. The CSS might not be vulnerable per se (it's own resolver isn't vulnerable), but its use could very well result in other servers/resolvers being vulnerable.
Is it verified somewhere that CSS does randomize the ports?
07-25-2008 09:35 AM
Yes, this is the question that I was asking.
My simple packet sniffing seems to indicate that the ports are being de-randomized, but I was hoping for a confirmation from someone with more knowledge about the CSS.
Also, is there a way to configure the CSS to not use PAT, and only NAT the IPs for our DNS servers. Since I know that our DNS servers/resolvers are generating random ports, I would like to just pass those ports through the CSS in both directions, and not PAT them.
07-25-2008 11:10 AM
CSS uses some hashing mecanism (using both source & destination ports)
to pickup the source port (for source nat).
By default, PAT or port mapping is enabled for source groups on source ports
greater than 1023. The CSS translates such source ports to a range starting
at 2016.This can be changed using
You can change the base port and also change the number of ports
(config-group[group])#portmap base-port
(config-group[group])#portmap number-of-ports <#>
Option to keep source ports intact is available for UDP traffic.
"portmap disable" - Instructs the CSS to perform Network Address
Translation (NAT) only on the source IP addresses and not on the source
ports of "UDP traffic" hitting a particular source group.
Configuring Source Group Port Mapping
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/c
ss11500series/v8.10/configuration/content_lb/guide/SGrp.html#wp1150100
Syed Iftekhar Ahmed
07-25-2008 11:18 AM
Good info. One additional note:
"portmap disable" - Instructs the CSS to perform Network Address
Translation (NAT) only on the source IP addresses and not on the source
ports of "UDP traffic" hitting a particular source group.
I don't know diddely about the CSS, but presumably this can only work if your doing one-for-one NAT. Obviously if I have multiple clients hitting the same IP on the load balancer it has to deal with source ports.
07-25-2008 11:44 AM
I tried the "portmap disable" command on the source group for one of our DNS servers, and the DNS server stopped working. Is there perhaps something else that has to be configured in addition to this (ACLs, flow and port mapping parameters, destination services ... )? My knowledge is a little foggy in this area.
Also, a quick run-down on our setup. Each of our DNS servers has a one-to-one NAT setup, with a single external IP on the Internet mapped to a single internal IP behind the CSS. When one of our customers query a DNS server for something that is not in its cache, then our DNS server (behind CSS) needs to query another DNS server on the Internet to get the information. It is here that the problem arises. Our DNS server nicely picks a random port, and then sends its request to port 53 on the other server on the Internet. However, the CSS changes this port to a less random one, before it sends the packet out. I too though the "portmap disable" would solve this, but it seemed to break our DNS server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide