FreeBSD 7.1 and BIND exploit
Brett Glass
brett at lariat.net
Mon Jul 21 22:52:40 UTC 2008
At 02:24 PM 7/21/2008, Kevin Oberman wrote:
>Don't forget that ANY server that caches data, including an end system
>running a caching only server is vulnerable.
Actually, there is an exception to this. A "forward only" cache/resolver is only as vulnerable as its forwarder(s). This is a workaround for the vulnerability for folks who have systems that they cannot easily upgrade: point at a trusted forwarder that's patched.
We're also looking at using dnscache from the djbdns package. It's really idiosyncratic, but seems to work well -- and if you're just doing a caching resolver you don't have to touch it once you get it configured.
Of course, all solutions that randomize ports are really just "security by obscurity," because by shuffling ports you're hiding the way to poison your cache... a little.
--Brett Glass
More information about the freebsd-stable
mailing list