Date: Wed, 23 Jul 2008 11:58:06 +1000 From: Mark Andrews <Mark_Andrews@isc.org> To: Oliver Fromme <olli@lurza.secnetix.de>, freebsd-stable@FreeBSD.ORG Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <200807230158.m6N1w6BR015766@drugs.dv.isc.org> In-Reply-To: Your message of "Tue, 22 Jul 2008 06:20:25 -1000." <20080722162024.GA1279@lava.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, Jul 22, 2008 at 05:52:42PM +0200, Oliver Fromme wrote: > > Brett Glass wrote: > > > At 02:24 PM 7/21/2008, Kevin Oberman wrote: > > > > > > > Don't forget that ANY server that caches data, including an end system > > > > running a caching only server is vulnerable. > > > > > > Actually, there is an exception to this. A "forward only" > > > cache/resolver is only as vulnerable as its forwarder(s). This is a > > > workaround for the vulnerability for folks who have systems that they > > > cannot easily upgrade: point at a trusted forwarder that's patched. > > > > > > We're also looking at using dnscache from the djbdns package. > > > > I'm curious, is djbdns exploitable, too? Does it randomize > > the source ports of UDP queries? > > AFAIK Dan Bernstein first spelled out the fundamental problems with > DNS response forgery in 2001. He implemented dnscache to randomize > source ports and IDs from the beginning, via a cryptographic quality > RNG. See for instance this page, much of it written in 2003: > > <http://cr.yp.to/djbdns/forgery.html>; And the IETF was working on a solution well before that. One that addressed not only off path attacks but also addressed on path attacks. One that worked with kernels that only supported limited numbers of file desriptors. One that worked regardless on the number of concurrent outstanding queries. That solution is called DNSSEC. We looked at what Dan did and said it didn't go far enough and that it has implementation issues at high query rates that can't be solved just by throwing more cpu at the problem. The problems are inherent to how UDP works. > He rubs a lot of people the wrong way, but I think he has usually > proved to be right on security issues. Dan is often right. However a different, more encompassing, solution was choosen. > I also think that modular design of security-sensitive tools is the > way to go, with his DNS tools as with Postfix. > -- Clifton > > -- > Clifton Royston -- cliftonr@iandicomputing.com / cliftonr@lava.net > President - I and I Computing * http://www.iandicomputing.com/ > Custom programming, network design, systems and network consulting services > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807230158.m6N1w6BR015766>