With all the fuss about the DNS Cache Poisoning flaw going around, there is something that is getting overlooked and it could re-introduce the problem that could reverse some of the good work done by the fixes.

Basically one of the popular fixes for the flaw is being undone by another network technology that is used within many environments. It seems that many of the fixes look to randomise the source port used for DNS server. However, if you happen to use Port Address Translation (PAT), which is commonly used with Network Address Translation (NAT) you could be undoing the fix if the PAT implementation does not randomise the ports it uses.

It is also possible that devices that NAT could rewrite the port to something less random. This causes a problem if the NAT device uses a random port generator with insufficient entropy for the translated port. This in effect reduces the effectiveness of the patch supplied by many vendors.

So to ensure that NAT is not interfering with the DNS poisoning fix, it is recommended that the following options are considered as possible solutions:

• Put the DNS server outside the NAT.
• Select a NAT device that uses sufficient entropy when implementing NAT.
• Disable recursion.

Add this page to your favorite Social Bookmarking websites