Date: Mon, 21 Jul 2008 13:24:18 -0700 From: "Kevin Oberman" <oberman@es.net> To: Max Laier <max@love2party.net> Cc: Brett Glass <brett@lariat.net>, stable@freebsd.org, Doug Barton <dougb@freebsd.org>, freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <20080721202418.7CF9B4500E@ptavv.es.net> In-Reply-To: Your message of "Mon, 21 Jul 2008 21:38:46 %2B0200." <200807212138.46703.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--==_Exmh_1216671858_23030P Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > From: Max Laier <max@love2party.net> > Date: Mon, 21 Jul 2008 21:38:46 +0200 > Sender: owner-freebsd-stable@freebsd.org > > On Monday 21 July 2008 21:14:22 Doug Barton wrote: > > Brett Glass wrote: > > | Everyone: > > | > > | Will FreeBSD 7.1 be released in time to use it as an upgrade to > > | close the BIND cache poisoning hole? > > > > Brett, et al, > > > > I'll make this simple for you. If you have a server that is running > > BIND, update BIND now. If you need to use the ports, that's fine, just > > do it now. Make sure that you are not specifying a port via any > > query-source* options in named.conf, and that any firewall between > > your named process and the outside world does keep-state on outgoing > > UDP packets. > > ... and that any NAT device employs at least a somewhat random port > allocation mechanism - pf provides this. And, if you are not sure how good a job it does (and I am not), you should use the OARC test to check how well it works: dig +short porttest.dns-oarc.net TXT If the result is not "GOOD", it's not good enough. You can test a remote server by adding "@remote-server" to the dig command. The server may be specified by name or IP address. Don't forget that ANY server that caches data, including an end system running a caching only server is vulnerable. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 --==_Exmh_1216671858_23030P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Exmh version 2.5 06/03/2002 iD8DBQFIhPBykn3rs5h7N1ERAhFPAJ4/QBlNj4volDF2fns3Ca0DdCqWHACfVJlm 7vHwUlwTS1sTRnG4kLfy9Fo= =M8Eg -----END PGP SIGNATURE----- --==_Exmh_1216671858_23030P--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080721202418.7CF9B4500E>