From owner-freebsd-stable@FreeBSD.ORG Tue Jul 22 15:52:45 2008 Return-Path: Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E509106566C for ; Tue, 22 Jul 2008 15:52:45 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id DE9888FC14 for ; Tue, 22 Jul 2008 15:52:44 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.1/8.14.1) with ESMTP id m6MFqg75009489; Tue, 22 Jul 2008 17:52:43 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.1/8.14.1/Submit) id m6MFqgpm009488; Tue, 22 Jul 2008 17:52:42 +0200 (CEST) (envelope-from olli) Date: Tue, 22 Jul 2008 17:52:42 +0200 (CEST) Message-Id: <200807221552.m6MFqgpm009488@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG In-Reply-To: <200807212219.QAA01486@lariat.net> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.2-STABLE-20070808 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Tue, 22 Jul 2008 17:52:43 +0200 (CEST) Cc: Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2008 15:52:45 -0000 Brett Glass wrote: > At 02:24 PM 7/21/2008, Kevin Oberman wrote: > > > Don't forget that ANY server that caches data, including an end system > > running a caching only server is vulnerable. > > Actually, there is an exception to this. A "forward only" > cache/resolver is only as vulnerable as its forwarder(s). This is a > workaround for the vulnerability for folks who have systems that they > cannot easily upgrade: point at a trusted forwarder that's patched. > > We're also looking at using dnscache from the djbdns package. I'm curious, is djbdns exploitable, too? Does it randomize the source ports of UDP queries? > Of course, all solutions that randomize ports are really just > "security by obscurity," because by shuffling ports you're hiding the > way to poison your cache... a little. True, but there is currently no better solution, AFAIK. The problem is inherent in the way DNS queries work. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "That's what I love about GUIs: They make simple tasks easier, and complex tasks impossible." -- John William Chambless