Vulnerability to cache poisoning -- the rest of the solution
Alan Clegg
Alan_Clegg at isc.org
Fri Jul 11 16:43:59 UTC 2008
Jeff Lightner wrote:
> I had thought turning off cache queries to external lookups was
> sufficient. Are you saying this is needed in addition or that cache
> query disabling had nothing to do with the cache poisoning?
If your server is authoritative only, it is not at risk. If it is
recursive, it is at risk.
It's not allowing queries from outside your network that puts you at
risk, it's doing recursion on behalf of others (internal or external)
that opens you to the vulnerability.
If you recurse, install new code and don't limit your queries to a
single port.
> Also as to the randomization - is this only for outbound responses? The
> initial query would have to come on port 53 where named listens or are
> you saying that it somehow listens on random ports as well?
This randomization is of queries being sent out from recursive servers
on behalf of the system that sent the query with the recursion desired
"RD" bit set.
All DNS queries will have a destination of port 53. You just don't want
all of the queries to have the same SOURCE port.
AlanC
More information about the bind-users
mailing list