Date: Thu, 10 Jul 2008 18:37:10 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: =?ISO-8859-1?Q?Joshua_Frug=E9?= <joshuafruge@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: dns update for 7.0 Message-ID: <487648C6.6030403@infracaninophile.co.uk> In-Reply-To: <2f33bdd20807100905l4d6ead71jfa21838420b42445@mail.gmail.com> References: <2f33bdd20807100905l4d6ead71jfa21838420b42445@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig8D526E2DB33C93DE0BF9DBB2 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Joshua Frug=E9 wrote: > I just joined the list (but did search the archive), so I apologize in > advance if this was already answered and I missed it. >=20 > What's the process to update the base bind in freebsd for the new > cacheing poisoning vuln that seems to be all the rage lately? >=20 > I'm running freebsd 7.0-RELEASE-p2 and I am using the included base > bind 9.4.2 as resolver for my network. Will there be an update > through freebsd-update to upgrade to bind 9.4.2-p1, or is there some > other process I need to follow....compile source and replace?. I recommend you install one or other of the bind ports: dns/bin9 dns/bind94 dns/bind95 All of these were updated last night to include the UDP port randomization stuff in the latest security patch. (There's not much point in installing dns/bind9 though, as that's a downgrade to bind9.3 from the system supplied bind-9.4.2) You don't need to overwrite the base system bind -- the vulnerability works on the cache of a running instance of named when configured as a re= cursive resolver. So as long as you start up the patched daemon, everyth= ing should be fine. To start up the version of bind you just installed from ports, add named_enable=3D"YES" named_program=3D"/usr/local/sbin/named" named_flags=3D"-c /etc/namedb/named.conf" to /etc/rc.conf and then run: /etc/rc.d/named restart and check your system logs for a line saying something like: starting BIND 9.X.Y-P1 -c /etc/namedb/named.conf -t /var/named -u bind where the 'P1' bit shows you're running the patched version. There may well be a security notice and a patch for the base system generated in the next few days: the security team is looking into the matter and will respond in due course. D-day for having everything=20 properly patched is the presentation Dan Kaminsky is doing at the Blackhats conference on August 6th (or possibly August 7th) The patches ISC have produced will have an adverse effect if you're=20 answering something in excess of 10,000 DNS queries a second, which is=20 rather more than most people would get to deal with, but are otherwise=20 innocuous. http://www.isc.org/index.pl?/sw/bind/bind-security.php To test if a recursive nameserver is potentially vulnerable, grab the perl script from this site: http://michael.toren.net/code/noclicky/ Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig8D526E2DB33C93DE0BF9DBB2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkh2SM0ACgkQ8Mjk52CukIwYogCeMssEVqM+iOc/fwZ3/H74iAgN wNkAn0flpulUYEw8B/KzVY2Mv+UjOpuA =zDgr -----END PGP SIGNATURE----- --------------enig8D526E2DB33C93DE0BF9DBB2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?487648C6.6030403>