[bind] Re: The worst thing about the exploit -- Have you done your part?

Michael Coumerilh coumie at gmail.com
Mon Jul 28 04:02:35 UTC 2008 

I'm running DNS for my company that only has 35 computers "because I  
can."
I have enabled views, and recursion is off for the "all" group, while  
it is enabled for the "local" group.

My BIND installation is on an OS X server, so manually updating can  
get ugly. We're talking LOW load here. 5,000 requests a day. MAYBE.

Question: Am I safe from this issue, or should I just wholesale  
forward everything to opendns and drop internal DNS?

Is un-patched recursion at ANY point dangerous or just external  
recursion?

Michael

On Jul 27, 2008, at 3:25 PM, Tuc at T-B-O-H.NET wrote:

>> On the other hand, I posted about this on a hardened Linux mailing
>> list, and received only ridicule and scorn in return. A security
>> professional who claims over 3 decades of Internet experience led the
>> charge, calling me paranoid and an alarmist. He specifically claimed
>> that, since he doesn't operate a resolving name server (he uses his
>> ISP, who have not patched their name servers as of my last check),  
>> and
>> since his authoritative name servers are all PowerDNS, he has nothing
>> to worry about, so why was I bothering the list with this irrelevant
>> nonsense?
>>
>> All to say, don't expect it to necessarily be easy to convince people
>> this is a real problem.
>>
>> (I've had better experiences elsewhere. And all of my friends and
>> family whose ISP's are not updated are using opendns.com.)
>>
> 	People have also said "Well, wait until the news outlets get a
> hold of this, it'll be bigger than any movie stars baby, any  
> presidential
> scandal, etc". Well, I've seen it on 2 different news sites, with it
> giving a "dooms day" feel to it.... And.... Seems its just not getting
> anyones attention. The ISP I'm on (MAJOR cable co) still hasn't seemed
> to make the change or done anything about it.
>
> 	I guess someone needs to poison a few large DNS servers and
> start stealing credit cards and eBay/Paypal/Y!/Gmail id/passes for it
> to get anyones attention.
>
> 			Tuc
>

More information about the bind-users mailing list