m0n0wall & DNS Vulnerability
mjgraves | July 22, 2008
It appears that Dan Kaminsky’s DNS vulnerability is now out in the open. Or maybe it isn’t. Who knows. There was a lot of noise about vendors and ISPs dealing with patches, etc.
Happily, it appears that m0n0wall is not significantly affected. Manuel Kasper made a post on the user mailing list some time ago announcing v1.3b13-pre with an update to Dnsmasq. I installed this today without incident.
Words cannot express how much I appreciate m0n0wall. It’s simply fantastic for SOHO situations like my office.
A related note, with the new DNS port randomization some people are having problems with SIP/RTP configurations and wide UDP port forwardings, like asterisk’s default of 10000-20000.
The results is random DNS failures when it collides with the wide RTP port forwards.
A solution is to reduce the size of your RTP port range in rtp.conf (rtpstart and rtpend) and your inbound NAT forwarding settings in m0n0wall.
Lonnie
Excellent info! Thanks for letting me know.