From owner-freebsd-hackers  Tue Jul 16 12: 8:41 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0191437B400
	for <freebsd-hackers@freebsd.org>; Tue, 16 Jul 2002 12:08:39 -0700 (PDT)
Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A189443E3B
	for <freebsd-hackers@freebsd.org>; Tue, 16 Jul 2002 12:08:38 -0700 (PDT)
	(envelope-from julian@elischer.org)
Received: from InterJet.elischer.org ([12.232.206.8])
          by rwcrmhc51.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020716190015.VUSI24728.rwcrmhc51.attbi.com@InterJet.elischer.org>;
          Tue, 16 Jul 2002 19:00:15 +0000
Received: from localhost (localhost.elischer.org [127.0.0.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id LAA73904;
	Tue, 16 Jul 2002 11:47:57 -0700 (PDT)
Date: Tue, 16 Jul 2002 11:47:55 -0700 (PDT)
From: Julian Elischer <julian@elischer.org>
To: Patrick Thomas <root@utility.clubscholarship.com>
Cc: freebsd-hackers@freebsd.org
Subject: Re: resolver workaround conceptually possible ?
In-Reply-To: <20020716113916.U79469-100000@utility.clubscholarship.com>
Message-ID: <Pine.BSF.4.21.0207161144430.73768-100000@InterJet.elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG



On Tue, 16 Jul 2002, Patrick Thomas wrote:

> 
> Understood.  That's not very painful at all - I assume any new version of
> bind9 will work then.

the newest definitly will

> 
> Is there a reason this workaround couldn't be added to the
> freebsd-security advisory ?  Currently it states there is no workaround,
> and this is a very nice one...

If the security people felt like it, it would probably
be an idea to mention it..
Also, having your own caching forwarding server is usually a good idea on
any site with mor ethan a few machines anyway.

> 
> Also, you meant resolv.conf, right ? (not resolver.conf ?)


yes of course.. :-)
Of course you just need one forwarding server per site not per machine..
(and block outgoing dns requests from all other machines using the
firewall)

> 
> --pt
> 
> On Tue, 16 Jul 2002, Julian Elischer wrote:
> 
> > a real workaround means:
> >
> > setting resolver.conf to point to 127.0.0.1
> > running a local copy of bind-9 as a forwarding server.
> > bind-9 rebuilds requests and answers it forwards..
> > bind-8 just passes them through.
> >


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message