John, > I complained long ago about this situation long ago and couldn't get anyone to > listen. We have been hit twice, and both times the only common link was > webpower.com. The problem originates when a ficticious domain is registered and > points to a DNS that the hacker has access to. The hacker then somehow loads > the DNS records in the cache of the targeted DNS claiming to have authority for > the .com domain. When someone in your domain requests the ficticious site, it > then supplies a non-authoratative response to your DNS and replaces the > information in your cache for the .com domain. Any subsequent requests to your > DNS for a non-cached .com domain goes to one of the webpower.com servers, which > of course can't respond properly. I thought that cache poisoning was corrected in Bind 8.1.1, as the following CERT advisory indicates. http://www.cert.org/advisories/CA-97.22.bind.html If we were running 4.9.3, then I could understand; however, we are running 8.2.2-P5. Are you aware of a new form of cache poisoning? > The only cure is to set your DNS to accept authoratative answers only. I've had a look at the options for bind, as follows, and I can't see any "accept authoratative answers only" option - we've done everything is last year's AusCERT Advisory, as follows. http://www.isc.org/products/BIND/docs/config/options.html ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos What do you recommend we do? Yours sincerely, -- Mark John Suter | I know that you believe you understand suter@humbug.org.au | what you think I said, but I am not sure GPG key id F2FEBB36 | you realise that what you heard is not Ph: +61 4 1126 2316 | what I meant. anonymous -- Attached file included as plaintext by Listar -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (GNU/Linux) Comment: Public key available from Keyservers or http://www.uq.edu.au/~suter/ iD8DBQE5nLo27EsZXfL+uzYRAsplAJ4nVYZhlW2yY1LrkFU9fk6uBzpEDQCfZ3Ef SsIoQVcXpXk4Fpc3WbqKeCc= =okBF -----END PGP SIGNATURE-----