cache poisoning

Mark Andrews marka at isc.org
Tue Aug 11 03:53:25 UTC 2009


In message <4A80E783.4090005 at gmail.com>, Nelson Serafica writes:
> Last year, there was a global threat about cache poisoning so I updated immed
> iately my bind. I update it to BIND 
> 9.5.0-P1 and did nothing to its named.conf

	You should have at least checked the query-source clauses
	to ensure that there wasn't a port specified.
 
	query-source * port 53;     // bad
	query-source 10.53.0.1;     // ok
	query-source *;   	    // ok (default)

	query-source-v6 * port 53;  // bad
	query-source-v6 10.53.0.1;  // ok
	query-source-v6 *;   	    // ok (default)

> Now, I'm setting up a secondary dns (in my previous emails) and I used BIND 9
> .6.1-P1. But when I do dig +short @<NS2 IP> 
> porttest.dns-oarc.net txt, it is poor but when I do it on my ns1, it is great
> . ns2 is running the latest bind. I believe 
> the fix for this is just update named to its new version. How come I'm still 
> having poor when I'm running the new 
> version of bind.

	If the query-source is ok then NAT's and firewalls can
	change the port as seen on the outside.

	Mark
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list