Vulnerability to cache poisoning -- the rest of the solution

Jeff Lightner jlightner at water.com
Fri Jul 11 16:22:27 UTC 2008 

Can you elaborate on this?

I had thought turning off cache queries to external lookups was
sufficient.   Are you saying this is needed in addition or that cache
query disabling had nothing to do with the cache poisoning?

Also as to the randomization - is this only for outbound responses?  The
initial query would have to come on port 53 where named listens or are
you saying that it somehow listens on random ports as well?

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Alan Clegg
Sent: Friday, July 11, 2008 8:07 AM
To: bind-users at isc.org
Subject: Vulnerability to cache poisoning -- the rest of the solution

Twice in the last two days, I've seen people post their named.conf files
(or snippets there-of) and they have contained lines similar to the
following:
>          query-source    port 53;
>          query-source-v6 port 53;

These lines specifically "undo" the port randomization that is included
in the current -P1 and beta code required for securing your servers from
cache poisoning.

It is not enough to install the patched code!  You also MUST remove the
restrictions on the ports that your queries use when leaving your
system.

Be aware that this may entail getting some cooperation from your
firewall administrators, but this is VITAL to the resilience of your
servers against the new attack vector.

Please, if you have QUERY-SOURCE PORT XX statements in your
configuration files, work quickly to remove them.

Thanks,
AlanC
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list