From owner-freebsd-security Tue Nov 12 16:10:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 76D1F37B401 for ; Tue, 12 Nov 2002 16:10:42 -0800 (PST) Received: from cithaeron.argolis.org (pool-138-88-90-249.res.east.verizon.net [138.88.90.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9491143E3B for ; Tue, 12 Nov 2002 16:10:36 -0800 (PST) (envelope-from piechota@argolis.org) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.6/8.12.5) with ESMTP id gAD0AWhU036635; Tue, 12 Nov 2002 19:10:32 -0500 (EST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.6/8.12.6/Submit) with ESMTP id gAD0AWQm036632; Tue, 12 Nov 2002 19:10:32 -0500 (EST) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 12 Nov 2002 19:10:32 -0500 (EST) From: Matt Piechota To: Michael Carew Cc: freebsd-security@FreeBSD.ORG Subject: Re: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8 (fwd)] In-Reply-To: <07fe01c28aa7$5bdeba10$0d11000a@wscarewm> Message-ID: <20021112190402.T35102-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 13 Nov 2002, Michael Carew wrote: > At least limiting it prevents someone setting up an authoritative server, > then making a query to that domain off your name server. > > They are then reliant on a legitimate client querying the server with the > malicious content, rather than them doing it themselves. > > Reducing the changes substantially I would imagine. Not as much as you'd think. If you use tcpwrappers and something like *.foo.edu, it'll do a reverse lookup to find out if a.b.c.d matches *.foo.edu. I think other things do at least reverse lookups as well (ie, so 'w' show what host I'm connecting from vs what IP). It's a little more difficult to have a reverse DNS domain, but not much. Besides, I think there's a few services that do a reverse then a forward to see if the names match. (I think I remember reading that) -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message