Vulnerability to cache poisoning -- the rest of the solution

Jeff Lightner jlightner at water.com
Mon Jul 14 19:41:40 UTC 2008 

I'm getting them too.

-----Original Message-----
From: Kyle McDonald [mailto:KMcDonald at Egenera.COM] 
Sent: Monday, July 14, 2008 3:37 PM
To: Baird, Josh
Cc: Jeff Lightner; Peter Laws; bind-users at isc.org
Subject: Re: Vulnerability to cache poisoning -- the rest of the
solution

Baird, Josh wrote:
> Is anyone else getting all kinds of duplicate messages that were sent
> hours ago?
>
>   
And I thought it was only me.

  -Kyle

>
>
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Jeff Lightner
> Sent: Monday, July 14, 2008 11:36 AM
> To: Peter Laws; bind-users at isc.org
> Subject: RE: Vulnerability to cache poisoning -- the rest of the
> solution
>
> You ignored the rest of what I wrote apparently.
>
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Peter Laws
> Sent: Monday, July 14, 2008 12:15 PM
> To: bind-users at isc.org
> Subject: Re: Vulnerability to cache poisoning -- the rest of the
> solution
>
> Jeff Lightner wrote:
>   
>> OK maybe I missed something.
>>
>> We were only allowing port 53 outside the firewall (confirmed by the
>> Network folks).   We've been doing lookups for external sites fine
>> despite that.   Was the discussion in current thread about that or
>> something else?
>>     
> Are your *outbound* connections restricted by the firewall to udp/53?
> Or 
> was your security admin talking about *inbound* connections?
>
> All the hullabaloo is about random source ports for DNS servers doing 
> recursive lookups on behalf of clients.  The randomness of port choice
> has 
> been improved (hasn't it?) with the recent patches.
>
> You also need to make sure your BIND config doesn't pin it to a
> particular 
> port (53 or otherwise).
>
>
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list