BIND 9.5.0 Unpatched - Passes DNS-OARC and Doxpara Tests
Gross, Jason D
GROSSJD at usa-spaceops.com
Mon Jul 14 22:05:39 UTC 2008
So...a false sense of security it is.
Thanks for the quick responses.
---------------------------------------------------------------------
Jason Gross
Network & Communications Services
Platform Engineering & Operations Services
Information Management
United Space Alliance
grossjd at usa-spaceops.com
V: (321) 799-6601 F: (321) 799-5970
-----Original Message-----
From: Jeremy C. Reed [mailto:Jeremy_Reed at isc.org]
Sent: Monday, July 14, 2008 5:56 PM
To: Gross, Jason D
Cc: bind-users at isc.org
Subject: Re: BIND 9.5.0 Unpatched - Passes DNS-OARC and Doxpara Tests
On Mon, 14 Jul 2008, Gross, Jason D wrote:
> This might fit in the "too dumb to ask" bucket, but if my BIND servers
> are already passing the DNS-OARC and Doxpara checks, does that mean
> that my servers don't to be patched as urgently as a server that
> doesn't pass or are my servers as vulnerable as any other unpatched
> server? I do intend to patch, I'm just curious if I'm relatively safe
> or if I'm just getting a false sense of security.
>
> My feeling is that it's probably a false sense of security.
See the 9.5.0 ARM: "If port is * or is omitted, a pool of random unprivileged ports will be used." By default there are eight random ports which are
recreated every 15 minutes. So that was good enough to trick those tests.
Note that the queryport options will be obsoleted in 9.5.1 which uses a random source port for every query.
More information about the bind-users
mailing list