SANS: DNS Bug Now Public?

Darren Bolding darren at
Wed Jul 23 19:16:41 UTC 2008

After a bit of looking around, I have not been able to find a list of
firewalls/versions which are known to provide appropriate randomness in
their PAT algorithms (or more importantly, those that do not).

I would be very interested in such a list if anyone knows of one.

As a side note, most people here realize this but, while people mention
firewalls, keep in mind that if a load-balancer or other device is your
egress PAT device, you might be interested in checking those systems
port-translation randomness as well.


On Wed, Jul 23, 2008 at 10:11 AM, Joe Abley <jabley at> wrote:

> On 23 Jul 2008, at 12:16, Jorge Amodio wrote:
> Let me add that folks need to understand that the "patch" is not a fix to a
>> problem that has been there for long time and
>> it is just a workaround to reduce the chances for a potential
>> attack, and it must be combined with best practices and
>> recommendations to implent a more robust DNS setup.
> Having just seen some enterprise types spend time patching their
> nameservers, it's also perhaps worth spelling out that "patch" in this case
> might require more than upgrading resolver code -- it could also involve
> reconfigurations, upgrades or replacements of NAT boxes too. If your NAT
> reassigns source ports in a predictable fashion, then no amount of BIND9
> patching is going to help.
> (Reconfiguring your internal resolvers to forward queries to an external,
> patched resolver which can see the world other than through NAT-coloured
> glasses may also be a way out.)
> Joe

-- Darren Bolding --
-- darren at --

More information about the NANOG mailing list