Re: iptables, NAT, DNS & Dan Kaminsky

[Richard Hartmann]

We are drifting from the initial topic, but oh well.. :)

On Thu, Jul 31, 2008 at 23:36, Ray Lee <ray-lk@xxxxxxxxxxxxx> wrote:


> or placing the DNS resolver behind a NAT
> masquerading firewall that does strict response dropping if a response
> comes from the wrong host. (There used to be an option in the kernel
> to deal with that -- loose source routing or somesuch, but I think
> that's a by-gone from the 2.4 era.)

You do not need a NAT to do this, you simply need to block packets
with a source address that does not match the routes your router has
in his routing table. Other than ISP end-costumers and a few other
very clearly defined situations, this is highly non-trivial, though. Some
people still do this, but in most cases, it has proved impractical and
a source of many 'strange' errors.


> So, to answer Richard, yes something like that should work. I'm not an
> iptables guru by any means, but what you should do is set up a machine
> with that, and sniff the output of the DNS server before and after
> enabling that line to verify that it works.

I know that this is possible.
What I wanted to know is what kernel versions do what [automagically]
and in what way.


> The better solution, of course, is to update your DNS server to allow
> it to do the source port randomization itself.

Of course. But I want to fully understand all cases and this is the last
area I still lack information on.


Thanks,
Richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/