From owner-freebsd-stable@FreeBSD.ORG Mon Jul 21 20:34:53 2008 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA0B41065670; Mon, 21 Jul 2008 20:34:53 +0000 (UTC) (envelope-from oberman@es.net) Received: from postal1.es.net (postal4.es.net [198.124.252.66]) by mx1.freebsd.org (Postfix) with ESMTP id 4AFAC8FC13; Mon, 21 Jul 2008 20:34:53 +0000 (UTC) (envelope-from oberman@es.net) Received: from postal1.es.net (postal3.es.net [198.128.3.207]) by postal4.es.net (Postal Node 4) with ESMTP (SSL) id BBT30420; Mon, 21 Jul 2008 13:24:20 -0700 Received: from ptavv.es.net (ptavv.es.net [198.128.4.29]) by postal3.es.net (Postal Node 3) with ESMTP (SSL) id BBT70518; Mon, 21 Jul 2008 13:24:18 -0700 Received: from ptavv.es.net (ptavv.es.net [127.0.0.1]) by ptavv.es.net (Tachyon Server) with ESMTP id 7CF9B4500E; Mon, 21 Jul 2008 13:24:18 -0700 (PDT) To: Max Laier In-Reply-To: Your message of "Mon, 21 Jul 2008 21:38:46 +0200." <200807212138.46703.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1216671858_23030P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Mon, 21 Jul 2008 13:24:18 -0700 From: "Kevin Oberman" Message-Id: <20080721202418.7CF9B4500E@ptavv.es.net> Cc: Brett Glass , stable@freebsd.org, Doug Barton , freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 20:34:54 -0000 --==_Exmh_1216671858_23030P Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > From: Max Laier > Date: Mon, 21 Jul 2008 21:38:46 +0200 > Sender: owner-freebsd-stable@freebsd.org > > On Monday 21 July 2008 21:14:22 Doug Barton wrote: > > Brett Glass wrote: > > | Everyone: > > | > > | Will FreeBSD 7.1 be released in time to use it as an upgrade to > > | close the BIND cache poisoning hole? > > > > Brett, et al, > > > > I'll make this simple for you. If you have a server that is running > > BIND, update BIND now. If you need to use the ports, that's fine, just > > do it now. Make sure that you are not specifying a port via any > > query-source* options in named.conf, and that any firewall between > > your named process and the outside world does keep-state on outgoing > > UDP packets. > > ... and that any NAT device employs at least a somewhat random port > allocation mechanism - pf provides this. And, if you are not sure how good a job it does (and I am not), you should use the OARC test to check how well it works: dig +short porttest.dns-oarc.net TXT If the result is not "GOOD", it's not good enough. You can test a remote server by adding "@remote-server" to the dig command. The server may be specified by name or IP address. Don't forget that ANY server that caches data, including an end system running a caching only server is vulnerable. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 --==_Exmh_1216671858_23030P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Exmh version 2.5 06/03/2002 iD8DBQFIhPBykn3rs5h7N1ERAhFPAJ4/QBlNj4volDF2fns3Ca0DdCqWHACfVJlm 7vHwUlwTS1sTRnG4kLfy9Fo= =M8Eg -----END PGP SIGNATURE----- --==_Exmh_1216671858_23030P--