cache poisoning
Mark Andrews
marka at isc.org
Tue Aug 11 03:53:25 UTC 2009
In message <4A80E783.4090005 at gmail.com>, Nelson Serafica writes:
> Last year, there was a global threat about cache poisoning so I updated immed
> iately my bind. I update it to BIND
> 9.5.0-P1 and did nothing to its named.conf
You should have at least checked the query-source clauses
to ensure that there wasn't a port specified.
query-source * port 53; // bad
query-source 10.53.0.1; // ok
query-source *; // ok (default)
query-source-v6 * port 53; // bad
query-source-v6 10.53.0.1; // ok
query-source-v6 *; // ok (default)
> Now, I'm setting up a secondary dns (in my previous emails) and I used BIND 9
> .6.1-P1. But when I do dig +short @<NS2 IP>
> porttest.dns-oarc.net txt, it is poor but when I do it on my ns1, it is great
> . ns2 is running the latest bind. I believe
> the fix for this is just update named to its new version. How come I'm still
> having poor when I'm running the new
> version of bind.
If the query-source is ok then NAT's and firewalls can
change the port as seen on the outside.
Mark
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list