From owner-freebsd-questions@FreeBSD.ORG  Thu Jul 10 17:37:28 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 934241065676
	for <freebsd-questions@freebsd.org>;
	Thu, 10 Jul 2008 17:37:28 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 51C9F8FC1A
	for <freebsd-questions@freebsd.org>;
	Thu, 10 Jul 2008 17:37:27 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id
	m6AHbHqC013543; Thu, 10 Jul 2008 18:37:18 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.6.0 smtp.infracaninophile.co.uk m6AHbHqC013543
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infracaninophile.co.uk; s=200708; t=1215711438; bh=C6x0XYzHZ8Np5z
	4Dw0M8mnAaZV5VayoUqkjJL2y7F88=; h=Message-ID:Date:From:MIME-Version:
	To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type:
	Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes
	sage-ID:=20<487648C6.6030403@infracaninophile.co.uk>|Date:=20Thu,=2
	010=20Jul=202008=2018:37:10=20+0100|From:=20Matthew=20Seaman=20<m.s
	eaman@infracaninophile.co.uk>|Organization:=20Infracaninophile|User
	-Agent:=20Thunderbird=202.0.0.14=20(X11/20080607)|MIME-Version:=201
	.0|To:=20=3D?ISO-8859-1?Q?Joshua_Frug=3DE9?=3D=20<joshuafruge@gmail
	.com>|CC:=20freebsd-questions@freebsd.org|Subject:=20Re:=20dns=20up
	date=20for=207.0|References:=20<2f33bdd20807100905l4d6ead71jfa21838
	420b42445@mail.gmail.com>|In-Reply-To:=20<2f33bdd20807100905l4d6ead
	71jfa21838420b42445@mail.gmail.com>|X-Enigmail-Version:=200.95.6|Co
	ntent-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20
	protocol=3D"application/pgp-signature"=3B=0D=0A=20boundary=3D"-----
	-------enig8D526E2DB33C93DE0BF9DBB2"; b=O6goxNIytwXv8uZc4Pe+w2ilnkB
	XPElF8knkvkrWO+qGkVKxQ8Qm039g05thu+rlz4OkqnmqP/u4ZuucN/PSQ2CuUvTd91
	hXO0v6sq2eloUFBhc4ZaEPW90uXPMGrdvVefDcuiPwjlhdgACfNG+mJl2rBMT1Zz01x
	fSvwC10sEk=
Message-ID: <487648C6.6030403@infracaninophile.co.uk>
Date: Thu, 10 Jul 2008 18:37:10 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.14 (X11/20080607)
MIME-Version: 1.0
To: =?ISO-8859-1?Q?Joshua_Frug=E9?= <joshuafruge@gmail.com>
References: <2f33bdd20807100905l4d6ead71jfa21838420b42445@mail.gmail.com>
In-Reply-To: <2f33bdd20807100905l4d6ead71jfa21838420b42445@mail.gmail.com>
X-Enigmail-Version: 0.95.6
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig8D526E2DB33C93DE0BF9DBB2"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0
	(smtp.infracaninophile.co.uk [IPv6:::1]);
	Thu, 10 Jul 2008 18:37:18 +0100 (BST)
X-Virus-Scanned: ClamAV 0.93.1/7686/Thu Jul 10 16:27:03 2008 on
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: freebsd-questions@freebsd.org
Subject: Re: dns update for 7.0
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jul 2008 17:37:28 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig8D526E2DB33C93DE0BF9DBB2
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Joshua Frug=E9 wrote:
> I just joined the list (but did search the archive), so I apologize in
> advance if this was already answered and I missed it.
>=20
> What's the process to update the base bind in freebsd for the new
> cacheing poisoning vuln that seems to be all the rage lately?
>=20
> I'm running freebsd 7.0-RELEASE-p2 and I am using the included base
> bind 9.4.2 as resolver for my network.  Will there be an update
> through freebsd-update to upgrade to bind 9.4.2-p1, or is there some
> other process I need to follow....compile source and replace?.

I recommend you install one or other of the bind ports:

   dns/bin9
   dns/bind94
   dns/bind95

All of these were updated last night to include the UDP port
randomization stuff in the latest security patch. (There's not much
point in installing dns/bind9 though, as that's a downgrade to bind9.3
from the system supplied bind-9.4.2)

You don't need to overwrite the base system bind -- the vulnerability
works on the cache of a running instance of named when configured as a re=
cursive resolver.  So as long as you start up the patched daemon, everyth=
ing should be fine.

To start up the version of bind you just installed from ports, add

  named_enable=3D"YES"
  named_program=3D"/usr/local/sbin/named"
  named_flags=3D"-c /etc/namedb/named.conf"

to /etc/rc.conf and then run:

  /etc/rc.d/named restart

and check your system logs for a line saying something like:

 starting BIND 9.X.Y-P1 -c /etc/namedb/named.conf -t /var/named -u bind

where the 'P1' bit shows you're running the patched version.

There may well be a security notice and a patch for the base system
generated in the next few days: the security team is looking into the
matter and will respond in due course.  D-day for having everything=20
properly patched is the presentation Dan Kaminsky is doing at the
Blackhats conference on August 6th (or possibly August 7th)

The patches ISC  have produced will have an adverse effect if you're=20
answering something in excess of  10,000 DNS queries a second, which is=20
rather more than most people would get to deal with, but are otherwise=20
innocuous.

  http://www.isc.org/index.pl?/sw/bind/bind-security.php

To test if a recursive nameserver is potentially vulnerable, grab
the perl script from this site:

  http://michael.toren.net/code/noclicky/

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig8D526E2DB33C93DE0BF9DBB2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkh2SM0ACgkQ8Mjk52CukIwYogCeMssEVqM+iOc/fwZ3/H74iAgN
wNkAn0flpulUYEw8B/KzVY2Mv+UjOpuA
=zDgr
-----END PGP SIGNATURE-----

--------------enig8D526E2DB33C93DE0BF9DBB2--