Date: Fri, 25 Jul 2008 13:54:30 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Brett Glass <brett@lariat.net> Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <488A3D86.8030808@FreeBSD.org> In-Reply-To: <200807212219.QAA01486@lariat.net> References: <Your message of "Mon, 21 Jul 2008 21:38:46 %2B0200." <200807212138.46703.max@love2party.net> <20080721202418.7CF9B4500E@ptavv.es.net> <200807212219.QAA01486@lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Brett Glass wrote: | At 02:24 PM 7/21/2008, Kevin Oberman wrote: | |> Don't forget that ANY server that caches data, including an end |> system running a caching only server is vulnerable. | | Actually, there is an exception to this. A "forward only" | cache/resolver is only as vulnerable as its forwarder(s). This is a | workaround for the vulnerability for folks who have systems that | they cannot easily upgrade: point at a trusted forwarder that's | patched. This is true only so long as you have ZERO untrusted users on the network with the name server doing the forwarding. Given the incredibly huge number of windows boxes that have been trojaned, your threshold for measuring untrusted users needs to be really really low. The reason a forwarder is still vulnerable is that the attack has to do with response forgery. It would actually be _easier_ to poison a forwarder since all of the queries are going to/from known IP addresses. My point once again being, patch sooner rather than later, especially given that there are now exploits in the wild AND reports of actual systems being attacked. Doug - -- ~ This .signature sanitized for your protection -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEAREDAAYFAkiKPYYACgkQyIakK9Wy8Psp1gCgmFLRqVI7NEGMXUBPr4Cyd0BM wfEAnAtfIlndk9FfpVQGjClxHWAw3HHt =enmE -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?488A3D86.8030808>