Vulnerability to cache poisoning -- the rest of the solution

Mon Jul 14 16:36:21 UTC 2008

You ignored the rest of what I wrote apparently.

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Peter Laws
Sent: Monday, July 14, 2008 12:15 PM
To: bind-users at isc.org
Subject: Re: Vulnerability to cache poisoning -- the rest of the
solution

Jeff Lightner wrote:
> OK maybe I missed something.
> 
> We were only allowing port 53 outside the firewall (confirmed by the
> Network folks).   We've been doing lookups for external sites fine
> despite that.   Was the discussion in current thread about that or
> something else?
Are your *outbound* connections restricted by the firewall to udp/53?
Or 
was your security admin talking about *inbound* connections?

All the hullabaloo is about random source ports for DNS servers doing 
recursive lookups on behalf of clients.  The randomness of port choice
has 
been improved (hasn't it?) with the recent patches.

You also need to make sure your BIND config doesn't pin it to a
particular 
port (53 or otherwise).

-- 
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
plaws at ou.edu
-----------------------------------------------------------------------
Feedback? Contact my director, Craig Cochell, craigc at ou.edu. Thank you!
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

The information contained in this message and any attachment may be
proprietary, confidential, and privileged or subject to the work
product doctrine and thus protected from disclosure.  If the reader
of this message is not the intended recipient, or an employee or
agent responsible for delivering this message to the intended
recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify me
immediately by replying to this message and deleting it and all
copies and backups thereof.  Thank you.