From owner-freebsd-stable@FreeBSD.ORG Tue Jul 22 16:20:28 2008 Return-Path: Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1B255106564A for ; Tue, 22 Jul 2008 16:20:28 +0000 (UTC) (envelope-from cliftonr@lava.net) Received: from outgoing01.lava.net (cake.lava.net [IPv6:2001:1888:0:1:230:48ff:fe5b:3b50]) by mx1.freebsd.org (Postfix) with ESMTP id 8BF0C8FC17 for ; Tue, 22 Jul 2008 16:20:27 +0000 (UTC) (envelope-from cliftonr@lava.net) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by outgoing01.lava.net (Postfix) with ESMTP id 957B8D00BD; Tue, 22 Jul 2008 06:20:26 -1000 (HST) Received: by malasada.lava.net (Postfix, from userid 102) id BE41A153882; Tue, 22 Jul 2008 06:20:25 -1000 (HST) Date: Tue, 22 Jul 2008 06:20:25 -1000 From: Clifton Royston To: Oliver Fromme Message-ID: <20080722162024.GA1279@lava.net> Mail-Followup-To: Oliver Fromme , freebsd-stable@FreeBSD.ORG References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200807221552.m6MFqgpm009488@lurza.secnetix.de> User-Agent: Mutt/1.4.2.2i Cc: freebsd-stable@FreeBSD.ORG Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2008 16:20:28 -0000 On Tue, Jul 22, 2008 at 05:52:42PM +0200, Oliver Fromme wrote: > Brett Glass wrote: > > At 02:24 PM 7/21/2008, Kevin Oberman wrote: > > > > > Don't forget that ANY server that caches data, including an end system > > > running a caching only server is vulnerable. > > > > Actually, there is an exception to this. A "forward only" > > cache/resolver is only as vulnerable as its forwarder(s). This is a > > workaround for the vulnerability for folks who have systems that they > > cannot easily upgrade: point at a trusted forwarder that's patched. > > > > We're also looking at using dnscache from the djbdns package. > > I'm curious, is djbdns exploitable, too? Does it randomize > the source ports of UDP queries? AFAIK Dan Bernstein first spelled out the fundamental problems with DNS response forgery in 2001. He implemented dnscache to randomize source ports and IDs from the beginning, via a cryptographic quality RNG. See for instance this page, much of it written in 2003: He rubs a lot of people the wrong way, but I think he has usually proved to be right on security issues. I also think that modular design of security-sensitive tools is the way to go, with his DNS tools as with Postfix. -- Clifton -- Clifton Royston -- cliftonr@iandicomputing.com / cliftonr@lava.net President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services