none
UDP source ports are not randomized with nslookup RRS feed

  • Question

  • ...even after the latest DNS spoofing security fixes are installed on all Windows Operating Systems including Vista and Server 2008 SP1.

    Wednesday, July 30, 2008 8:10 PM

Answers

  • Hi ManServ,

    Thanks for your clarification. I think that we all overlooked the point that this behavior only happens on NSlookup.

    Yes, the security patch randomize the DNS UDP source port by modifying the DNS resolver behavior. As NSLookup does not use the DNS client resolver instead it has its own resolver, the DNS UDP source port will not be randomized via NSLookup even after you have installed the security patch.

    As you mentioned, the UDP source port is randomized when you use ping. I think that your system is working properly and the security patch has been installed successfully.

    Laura Zhang - MSFT
    Monday, August 4, 2008 2:38 AM
    Moderator

All replies

  • Hello,

     

    Have you caught this Microsoft Knowledge Base article?

     

    DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037)

    http://support.microsoft.com/kb/956190

     

    This article explains the issue of sequential port assignments even after security update 953230 because of the NAT (Network address translation) on the firewall.

    Thursday, July 31, 2008 7:40 AM
    Moderator
  • Hello,

    have you grabbed your most favorite packet capture program to verify? My posting is not limited to firewall/NAT scenarios.
    Thursday, July 31, 2008 5:14 PM
  • Hi ManServ,

    According to Microsoft Security Bulletin MS08-037, this issue also affect Windows Server 2008. 
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;953230

    I understand that you have installed the latest Windows Updates on Windows Server 2008. Please check to ensure that update KB951748 has been installed successfully on DNS client and KB951746 has been installed successfully on DNS server. Please also match the affected file versions that are described in the above knowledge base article to ensure all the files have been updated.

    Meanwhile, please ensure to restart the DNS service so that the modification can take effect. You may also try to reboot the server and client to test again.

    Laura Zhang - MSFT
    Friday, August 1, 2008 2:18 AM
    Moderator
  • I have done all that. The issue still occurs.

    Do you have used a packet sniffer to verify? (IMPORTANT!)

    As I said: DNS requests sent by nslookup don't have randomized source ports. When I ICMP ping / echo request a dns name the DNS request generated by that _has_ randomized source ports.
    Friday, August 1, 2008 8:11 AM
  • Hi ManServ,

    Thanks for your clarification. I think that we all overlooked the point that this behavior only happens on NSlookup.

    Yes, the security patch randomize the DNS UDP source port by modifying the DNS resolver behavior. As NSLookup does not use the DNS client resolver instead it has its own resolver, the DNS UDP source port will not be randomized via NSLookup even after you have installed the security patch.

    As you mentioned, the UDP source port is randomized when you use ping. I think that your system is working properly and the security patch has been installed successfully.

    Laura Zhang - MSFT
    Monday, August 4, 2008 2:38 AM
    Moderator
  • Why aren't source ports for other programs also randomized to reduce the attack surface?
    Will there be a patch for Microsofts Internet Security And Acceleration Server to randomize all source ports of NAT'ed connections?
    Monday, August 4, 2008 1:11 PM
  • I am not sure whether there will be an update for ISA. Anyway, I will forward your feedback to the corresponding group. Thanks.
    Laura Zhang - MSFT
    Tuesday, August 5, 2008 1:22 AM
    Moderator
  • Has anyone an answer to the first question of my previous post?
    I hope the ISA team reacts. To my mind patching NAT gateways is a must.
    Tuesday, August 5, 2008 8:20 AM
  • It seems a patch is now available for Microsoft Internet Security and Acceleration Server 2004 (ISA): http://support.microsoft.com/kb/958024 (DNS queries that are passed through ISA Server 2004 NAT do not use random source ports)

    Good work Microsoft.
    Wednesday, November 12, 2008 11:37 PM