Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 21 Jul 2008 16:18:16 -0600
From:      Brett Glass <brett@lariat.net>
To:        "Kevin Oberman" <oberman@es.net>, Max Laier <max@love2party.net>
Cc:        stable@freebsd.org, Doug Barton <dougb@freebsd.org>, freebsd-stable@freebsd.org
Subject:   Re: FreeBSD 7.1 and BIND exploit 
Message-ID:  <200807212219.QAA01486@lariat.net>
In-Reply-To: <20080721202418.7CF9B4500E@ptavv.es.net>
References:  <Your message of "Mon, 21 Jul 2008 21:38:46 %2B0200." <200807212138.46703.max@love2party.net> <20080721202418.7CF9B4500E@ptavv.es.net>

next in thread | previous in thread | raw e-mail | index | archive | help
At 02:24 PM 7/21/2008, Kevin Oberman wrote:

>Don't forget that ANY server that caches data, including an end system
>running a caching only server is vulnerable.

Actually, there is an exception to this. A "forward only" cache/resolver is only as vulnerable as its forwarder(s). This is a workaround for the vulnerability for folks who have systems that they cannot easily upgrade: point at a trusted forwarder that's patched.

We're also looking at using dnscache from the djbdns package. It's really idiosyncratic, but seems to work well -- and if you're just doing a caching resolver you don't have to touch it once you get it configured.

Of course, all solutions that randomize ports are really just "security by obscurity," because by shuffling ports you're hiding the way to poison your cache... a little.

--Brett Glass




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807212219.QAA01486>