BIND recursive resolver exploit?
David Wolfskill
david at catwhisker.org
Tue Jul 22 13:45:35 PDT 2008
The FreeBSD lists have been fairly active recently in discussing the
(somewhat-)recently disclosed vulnerability in BIND that (IIRC) targets
recursive resolvers (by poisoning their caches).
I'm mildly surprised that there's not been more discussion of it here,
as it does cross OS lines pretty thoroughly.
The current circumvention appears to be to ensure that DNS query source
ports are properly randomized, while the purported fix is to implement
DNSSEC.
For my name servers, I configure them so that they only honor recursive
queries from within my network; I gather, though, that this does not
avoid the issue, as it would still be possible to place a reference
(e.g., a URL) to a particular DNS zone to cause my name server to
perform a query that is at least strongly influenced by an untrusted
party outside my network.
Comments? Or is this all old hat?
Peace,
david
--
David H. Wolfskill david at catwhisker.org
I submit that "conspiracy" would be an appropriate collective noun for cats.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://www.baylisa.org/pipermail/baylisa/attachments/20080722/68a265a7/attachment.bin>
More information about the Baylisa
mailing list