Skip site navigation (1) Skip section navigation (2)

Re: Insecure DNS servers on PG infrastructure

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Andrew Sullivan <ajs(at)commandprompt(dot)com>
Cc: pgsql-www(at)postgresql(dot)org
Subject: Re: Insecure DNS servers on PG infrastructure
Date: 2008-07-25 20:44:32
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-www
Andrew Sullivan <ajs(at)commandprompt(dot)com> writes:
> On Fri, Jul 25, 2008 at 11:02:03AM -0400, Tom Lane wrote:
>> If it says FAIR or POOR then you have an unpatched server or there
>> is something interfering with the port randomization.  If the server
>> is behind a NAT firewall then the latter is entirely likely.

> There's no reason that a NAT should do that, if the device is
> competently built: if you randomise source ports on the inside, the
> NAT device could just use the same port on the outside.

I'm not convinced that that's true.  If the router is trying to forward
UDP messages arriving from several "inside" IP addresses using only one
"outside" address, it has to deal with the possibility of collisions,
ie two "inside" addresses using the same port number at about the same
time.  So it doesn't surprise me that it rewrites the port numbers.
If it assigned randomly-generated substitute numbers there'd be no
problem, but with no prior knowledge that would be a good idea you can
hardly blame the router authors for not indulging in extra complexity.

What I do know is that my own firewall hardware (a Netopia T1 router
that's two or three years old) *was* rewriting UDP port numbers on
requests from a machine that was sharing a NAT address with others.
After remapping to give that machine its own "outside" IP address,
it stopped doing so.  BTW the service was
invaluable in testing this; I'd probably have thought that just
installing the new BIND made me safe, if I hadn't had a way to test it.

			regards, tom lane

In response to


pgsql-www by date

Next:From: Andrew SullivanDate: 2008-07-25 22:04:48
Subject: Re: Insecure DNS servers on PG infrastructure
Previous:From: Andrew SullivanDate: 2008-07-25 15:40:49
Subject: Re: Insecure DNS servers on PG infrastructure

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group