From owner-freebsd-stable@FreeBSD.ORG  Mon Jul 21 22:20:05 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 931E31065676;
	Mon, 21 Jul 2008 22:20:05 +0000 (UTC)
	(envelope-from brett@lariat.net)
Received: from lariat.net (lariat.net [66.119.58.2])
	by mx1.freebsd.org (Postfix) with ESMTP id 02C9A8FC2A;
	Mon, 21 Jul 2008 22:20:04 +0000 (UTC)
	(envelope-from brett@lariat.net)
Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net
	[66.119.58.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id QAA01486;
	Mon, 21 Jul 2008 16:19:38 -0600 (MDT)
Message-Id: <200807212219.QAA01486@lariat.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 21 Jul 2008 16:18:16 -0600
To: "Kevin Oberman" <oberman@es.net>, Max Laier <max@love2party.net>
From: Brett Glass <brett@lariat.net>
In-Reply-To: <20080721202418.7CF9B4500E@ptavv.es.net>
References: <Your message of "Mon, 21 Jul 2008 21:38:46 +0200."
	<200807212138.46703.max@love2party.net>
	<20080721202418.7CF9B4500E@ptavv.es.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: stable@freebsd.org, Doug Barton <dougb@freebsd.org>,
	freebsd-stable@freebsd.org
Subject: Re: FreeBSD 7.1 and BIND exploit 
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2008 22:20:05 -0000

At 02:24 PM 7/21/2008, Kevin Oberman wrote:

>Don't forget that ANY server that caches data, including an end system
>running a caching only server is vulnerable.

Actually, there is an exception to this. A "forward only" cache/resolver is only as vulnerable as its forwarder(s). This is a workaround for the vulnerability for folks who have systems that they cannot easily upgrade: point at a trusted forwarder that's patched.

We're also looking at using dnscache from the djbdns package. It's really idiosyncratic, but seems to work well -- and if you're just doing a caching resolver you don't have to touch it once you get it configured.

Of course, all solutions that randomize ports are really just "security by obscurity," because by shuffling ports you're hiding the way to poison your cache... a little.

--Brett Glass