Vulnerability to cache poisoning -- the rest of the solution
Kyle McDonald
KMcDonald at Egenera.COM
Mon Jul 14 19:37:26 UTC 2008
Baird, Josh wrote:
> Is anyone else getting all kinds of duplicate messages that were sent
> hours ago?
>
>
And I thought it was only me.
-Kyle
>
>
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Jeff Lightner
> Sent: Monday, July 14, 2008 11:36 AM
> To: Peter Laws; bind-users at isc.org
> Subject: RE: Vulnerability to cache poisoning -- the rest of the
> solution
>
> You ignored the rest of what I wrote apparently.
>
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Peter Laws
> Sent: Monday, July 14, 2008 12:15 PM
> To: bind-users at isc.org
> Subject: Re: Vulnerability to cache poisoning -- the rest of the
> solution
>
> Jeff Lightner wrote:
>
>> OK maybe I missed something.
>>
>> We were only allowing port 53 outside the firewall (confirmed by the
>> Network folks). We've been doing lookups for external sites fine
>> despite that. Was the discussion in current thread about that or
>> something else?
>>
> Are your *outbound* connections restricted by the firewall to udp/53?
> Or
> was your security admin talking about *inbound* connections?
>
> All the hullabaloo is about random source ports for DNS servers doing
> recursive lookups on behalf of clients. The randomness of port choice
> has
> been improved (hasn't it?) with the recent patches.
>
> You also need to make sure your BIND config doesn't pin it to a
> particular
> port (53 or otherwise).
>
>
More information about the bind-users
mailing list