Cache poisoning
Paul Vixie
vixie at sa.vix.com
Mon Aug 8 14:23:21 UTC 2005
Peter Dambier <peter at peter-dambier.de> writes:
> > John still send messages in base64 encoding. Here is the decode:
> > ---------------------------------------------------------------------------
> > Hello.
> >
> > I would like to ask about cache poisoning.
> >
> > Does ISC recommand which BIND versions have to be updated for cache
> > poisoning?
>
> I am not ISC, but I have seen that you have to upgrade to 9.x to
> be safe from poisoning.
BIND8's cache cannot be poisoned by a Kashpureff-style attack. However,
BIND8 does not sanitize forwarded responses, so any caching nameserver
that is configured to "use forwarders" where any of those forwarders is
running BIND8, can be poisoned.
> > Actucally, one of my name servers is running BIND 8.2.7, but this
> > machine performance is pretty bad, so
> >
> > I have diffidulty of updating latest BIND version. Which version is
> > good for this machine?
>
> Try 9.3, its performance should be better now.
agreed. and 9.4's performance will be even better.
> One solution I prefer doing on my system is contrary to school teaching:
>
> My bind is a resolver. But I do clone all zones that a important to me.
> That is my bind runs as slave for the root. I dont have a hints file.
at <http://public.oarci.net/oarc/workshop-2005/minutes> there is a
presentation authored by David Malone entitled "The Root of the Matter:
Hints or Slaves?" which helps explain why this seemingly good idea is
not in fact all that good.
--
Paul Vixie
More information about the bind-users
mailing list