Vulnerability to cache poisoning -- the rest of the solution
Alan Clegg
Alan_Clegg at isc.org
Fri Jul 11 22:12:07 UTC 2008
Peter Laws wrote:
>> For now, randomize your query source ports. Please.
>
> Is that something you have to positively do (i.e., not a default), or does
> it happen automagically with the updated BIND(s)?
It's automatic in 9.3.5-P1, 9.4.2-P1, and 9.5.0-P1 (and the current
betas) unless you tell it otherwise by using BAD things like:
udp-source port XX;
in your configuration.
Notice that if you have a line like the above in your current
configuration and are behind a firewall, there may be rules in place
that made that line necessary. Check with your firewall admin to make
sure that "random outbound UDP ports" are open from your nameserver to
the outside world.
AlanC
More information about the bind-users
mailing list