Vulnerability to cache poisoning -- the rest of the solution

[Jeff Lightner]

You ignored the rest of what I wrote apparently.


-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Peter Laws
Sent: Monday, July 14, 2008 12:15 PM
To: bind-users at isc.org
Subject: Re: Vulnerability to cache poisoning -- the rest of the
solution

Jeff Lightner wrote:
> OK maybe I missed something.
> 
> We were only allowing port 53 outside the firewall (confirmed by the
> Network folks).   We've been doing lookups for external sites fine
> despite that.   Was the discussion in current thread about that or
> something else?
Are your *outbound* connections restricted by the firewall to udp/53?
Or 
was your security admin talking about *inbound* connections?

All the hullabaloo is about random source ports for DNS servers doing 
recursive lookups on behalf of clients.  The randomness of port choice
has 
been improved (hasn't it?) with the recent patches.

You also need to make sure your BIND config doesn't pin it to a
particular 
port (53 or otherwise).

-- 
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
plaws at ou.edu
-----------------------------------------------------------------------
Feedback? Contact my director, Craig Cochell, craigc at ou.edu. Thank you!
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------