Date: Tue, 22 Jul 2008 17:52:42 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-stable@FreeBSD.ORG Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <200807221552.m6MFqgpm009488@lurza.secnetix.de> In-Reply-To: <200807212219.QAA01486@lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Brett Glass wrote: > At 02:24 PM 7/21/2008, Kevin Oberman wrote: > > > Don't forget that ANY server that caches data, including an end system > > running a caching only server is vulnerable. > > Actually, there is an exception to this. A "forward only" > cache/resolver is only as vulnerable as its forwarder(s). This is a > workaround for the vulnerability for folks who have systems that they > cannot easily upgrade: point at a trusted forwarder that's patched. > > We're also looking at using dnscache from the djbdns package. I'm curious, is djbdns exploitable, too? Does it randomize the source ports of UDP queries? > Of course, all solutions that randomize ports are really just > "security by obscurity," because by shuffling ports you're hiding the > way to poison your cache... a little. True, but there is currently no better solution, AFAIK. The problem is inherent in the way DNS queries work. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "That's what I love about GUIs: They make simple tasks easier, and complex tasks impossible." -- John William Chambless
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807221552.m6MFqgpm009488>