DNS checker reboots ZyWALL in ZyXEL http://www.dslreports.com/forum/r20767898 en Wed, 03 Dec 2008 03:00:19 EDT Wed, 03 Dec 2008 03:00:19 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20952300 CampMaster :
said by Brano See Profile :

Which version do you have?
I've got V4.04(XD.1)_db(0808) | 08/08/2008
Ahhh, I have: V4.04(XD.1)_db(0714) | 07/15/2008

~CMT
--
There's no place like 127.0.0.1
]]> http://www.dslreports.com/forum/remark,20952300 Thu, 14 Aug 2008 19:25:42 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20952290 Brano : Which version do you have?
I've got V4.04(XD.1)_db(0808) | 08/08/2008]]> http://www.dslreports.com/forum/remark,20952290 Thu, 14 Aug 2008 19:23:28 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20951837 CampMaster : I received the Beta FW for the ZW5.

I have a DNS Server behind the ZW5.

Sadly, the beta firmware does NOT randomize source ports:
Number of samples: 23
Unique ports: 23
Range: 15043 - 15159
Modified Standard Deviation: 22
Bits of Randomness: 6
Values Seen: 15138 15139 15140 15141 15142 15143 15144 15145 15043 15146 15147 15148 15149 15150 15151 15152 15153 15154 15155 15156 15157 15158 15159

~CMT
--
There's no place like 127.0.0.1
]]> http://www.dslreports.com/forum/remark,20951837 Thu, 14 Aug 2008 17:47:55 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20948140 Brano : This was just test to my ISP's DNS servers.
ZyXel is fully aware of all the issues and the new FW should be out within a month. I'm sure we'll give it a close look then ;) (I don't have much spare time now to check this beta release thoroughly).]]> http://www.dslreports.com/forum/remark,20948140 Thu, 14 Aug 2008 00:06:11 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20947788 jamesv : brano, were those results using queries sourced by the Z5's internal nameserver or one on a separate server behind the NAT on the LAN?

ZyXel has two separate issues: fixing the DNS cache within the ZyWall and fixing the NAT within the ZyWall so that it does not linearize random source ports on a LAN server.]]> http://www.dslreports.com/forum/remark,20947788 Wed, 13 Aug 2008 22:48:55 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20917559 Brano : Here are tests with the Z5 beta firmware.
I'll do some sniffing to check source ports tomorrow.

[att=1]
Test from »www.doxpara.com

[att=2]
Test from »entropy.dns-oarc.net/test
 
Click for full size
]]> http://www.dslreports.com/forum/remark,20917559 Fri, 08 Aug 2008 00:28:49 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20911921 CampMaster : Will that update also provide for the randomizing of outgoing ports?

When is this expected to be released? for the ZW5?

Thanks!

~CMT
--
There's no place like 127.0.0.1
]]> http://www.dslreports.com/forum/remark,20911921 Thu, 07 Aug 2008 00:34:39 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20852578 Brano : The DNS checker reboot issue has been fixed in current beta firmware. Should be in next formal release.]]> http://www.dslreports.com/forum/remark,20852578 Sat, 26 Jul 2008 13:54:09 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20840265 bbarrera : My understanding is that ZLD-based ZyWALLs (zw1050 and USG) firewalls have a NAT implementation that does not change source ports unless the port is currently in use and then it uses a random port above port 1025.]]> http://www.dslreports.com/forum/remark,20840265 Thu, 24 Jul 2008 02:18:28 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20831985 bbarrera : The ZyWALL 1050 and USG300 appear to be randomizing ports for the LAN-based recursive dns caches. The ZyWALL 1050 has Windows Server 2000 on its LAN and USG300 has djbnds on its LAN.]]> http://www.dslreports.com/forum/remark,20831985 Tue, 22 Jul 2008 16:16:09 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20827669 bbarrera : I understand that on the Linux-based zw1050/USG devices they are using BIND for dns proxy cache and the transaction IDs were fixed last year. They are now working on source port randomization.

Separately I asked about NAT port randomization and haven't received a reply yet, although I haven't tested to see if it is a problem.]]> http://www.dslreports.com/forum/remark,20827669 Mon, 21 Jul 2008 20:27:46 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20827413 dslpartner :
said by OZO See Profile :

I suppose fix will be in the next firmware release.
Based on what?]]> http://www.dslreports.com/forum/remark,20827413 Mon, 21 Jul 2008 19:35:40 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20827282 jamesv : Well, after a little more thought I realized the writeup I got isn't it either - that can be addressed in code on the cache (percentages made very low). So it's something else...

But predictable port numbers doesn't seem like a good idea for a firewall on general principles, and a "short-circuit" in the NAT port remapper to use the LAN source port if free on the WAN side seems unlikely to take long to implement or test and has a low chance of breakage.]]> http://www.dslreports.com/forum/remark,20827282 Mon, 21 Jul 2008 19:09:02 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20827161 OZO : I suppose fix will be in the next firmware release.]]> http://www.dslreports.com/forum/remark,20827161 Mon, 21 Jul 2008 18:49:02 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20826830 dslpartner : Anybody tried to tell ZyXEL about this, if yes, what was the answer?
--
"Perl is executable line noise, Python is executable pseudo-code." ]]> http://www.dslreports.com/forum/remark,20826830 Mon, 21 Jul 2008 17:47:08 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20826637 jamesv :
said by bbarrera See Profile :

DNS protocol was not designed to be secure but that doesn't excuse BIND from ignoring for many years a well known implementation technique that would reduce chance for cache poisoning.
I've now read a writeup of the problem and it has nothing to do with the coding, bind, or such.

But even with the bind or djbdns fixes it isn't safe to have a DNS cache behind a ZyWall until ZyXel fixes the NAT - ZyXel undoes the DNS fixes and leaves a cache as unsafe as if it had never been patched in the first place.

(the writeup I saw required that the attacker be able to send queries to the cache, which can be blocked. But I think it is also possible to get those queries made by poisoning a web site so that a browser on the "inside" does the queries to the cache which will be attacked - just blocking incoming DNS queries isn't good enough).]]> http://www.dslreports.com/forum/remark,20826637 Mon, 21 Jul 2008 17:15:18 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20823062 bbarrera : DNS protocol was not designed to be secure but that doesn't excuse BIND from ignoring for many years a well known implementation technique that would reduce chance for cache poisoning. ]]> http://www.dslreports.com/forum/remark,20823062 Sun, 20 Jul 2008 23:56:15 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20820053 jamesv :
said by bbarrera See Profile :

Unlike BIND and Microsoft DNS the djbdns dns cache has *never* been vulnerable to this exploit, and is credited with identifying the dns system design flaw and fix many years ago.
ISC and others seem to believe the problem is in the protocol not any particular cache software. ISC believes no software change is a complete fix but instead just makes the attack harder and that DNSSEC is the only complete solution.

If you're running djbdns behind a ZyWall whose NAT is remapping ports then the ZyWall may be undoing some of djbdns' security by making the DNS query ports predictable.]]> http://www.dslreports.com/forum/remark,20820053 Sun, 20 Jul 2008 11:24:23 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20815294 jig : this is interesting.

there was once a time when i was getting some issue with my z5 rebooting randomly, and i thought it had something to do with resolving lots of ips at once. couldn't ever nail it down.
--
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam.]]> http://www.dslreports.com/forum/remark,20815294 Sat, 19 Jul 2008 04:08:58 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20807522 OZO : I've just tested the new FW version V4.04(XD.1) | 06/26/2008 and the result is the same - ZyWALL router crashes and reboots after receiving 4 UDP packets of DNS requests from my computer. :(
--
Keep it simple, it'll become complex by itself...]]> http://www.dslreports.com/forum/remark,20807522 Thu, 17 Jul 2008 17:00:57 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20801184 bbarrera : USG series is Unix/Linux based ("ZLD") and uses BIND.

The zw5/35/70 series use the proprietary Zyxel ZyNOS operating system and unknown DNS proxy implementation (likely proprietary).]]> http://www.dslreports.com/forum/remark,20801184 Wed, 16 Jul 2008 15:35:34 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20801181 dslpartner :
said by OZO See Profile :

What firmware version does it have?
This info could be interesting for further investigation.
Its not even the same os, USG uses ZLD which is Linux based and older ZyWALL uses ZyNOS which is based on something else.]]> http://www.dslreports.com/forum/remark,20801181 Wed, 16 Jul 2008 15:35:01 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20801167 OZO : What firmware version does it have?
This info could be interesting for further investigation.]]> http://www.dslreports.com/forum/remark,20801167 Wed, 16 Jul 2008 15:32:47 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20799621 bbarrera : I've setup my USG300 as DNS proxy for one LAN computer, then pointed computer's browser at the DNS checker and it didn't reboot the USG300.]]> http://www.dslreports.com/forum/remark,20799621 Wed, 16 Jul 2008 10:54:59 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20798605 OZO : Thank you for checking.

I found that using ZW as a local DNS server (actually a proxy, but somehow advanced) is beneficial because:
1) I turn off NetBIOS on all local computers and run network without this old chatty protocol;
2) instead of maintaining hosts files on all computers I use ZW to keep all name resolutions for the LAN.

It's easy to add local host names and their corresponding IPs via Advanced | DNS | System | Address Record assignments. Try it and you won't need to change hosts files on all computers anymore.]]> http://www.dslreports.com/forum/remark,20798605 Wed, 16 Jul 2008 04:11:36 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20798276 SmurfLurf : I tried with a ZyWALL 5 and 2+, both running 4.04 firmware and it does reboot the unit... Just tried it for the fun of it, don't usually setup ZyWALL's as DNS proxy...]]> http://www.dslreports.com/forum/remark,20798276 Wed, 16 Jul 2008 01:08:52 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20790364 bbarrera : No problems here on USG300 but that is likely because I'm running djbdns as dns cache on my LAN, and not using any DNS on the ZyWALL USG300.

Unlike BIND and Microsoft DNS the djbdns dns cache has *never* been vulnerable to this exploit, and is credited with identifying the dns system design flaw and fix many years ago.]]> http://www.dslreports.com/forum/remark,20790364 Mon, 14 Jul 2008 16:39:16 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20790229 OZO : Thank you, guys, for confirmation!]]> http://www.dslreports.com/forum/remark,20790229 Mon, 14 Jul 2008 16:10:19 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20773689 dslpartner : Contact ZyXEL and tell them about the bug, until then try to set static dns servers on your hosts, instead of using the DNS proxy in the device.
--
"Perl is executable line noise, Python is executable pseudo-code." ]]> http://www.dslreports.com/forum/remark,20773689 Fri, 11 Jul 2008 04:59:54 EDT Re: DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20772735 MVS : I noticed the same problem on a ZyWALL 2 Plus using the latest firmware (V4.04(XU.1)) when using its IP as my DNS server.]]> http://www.dslreports.com/forum/remark,20772735 Thu, 10 Jul 2008 22:20:35 EDT DNS checker reboots ZyWALL http://www.dslreports.com/forum/remark,20767898 OZO : Tried many times DNS checker from this site - DoxPara Research (mentioned in this thread - Internet flaw could let hackers take over the Web) and every time my ZyWALL 5 rebooted. What's the heck?

I run the test with IE (or FireFox, yielding the same result) from WXP computer. It's DHCP client, which is getting DNS, pointing to ZyWALL.

Can anybody confirm it?

ZyWALL 5:
Bootbase Version V1.08 | 01/28/2005
Firmware Version V4.04(XD.0) | 03/28/2008
--
Keep it simple, it'll become complex by itself...]]> http://www.dslreports.com/forum/remark,20767898 Thu, 10 Jul 2008 00:42:06 EDT