FreeBSD Security Advisory FreeBSD-SA-07:02.bind
Colin Percival
cperciva at freebsd.org
Sat Feb 10 07:09:21 UTC 2007
Mark Andrews wrote:
>> There is no workaround available, but systems which are not authoritative
>> servers for DNSSEC signed zones are not affected by the first issue; and
>> systems which do not permit untrusted users to perform recursive DNS
>> resolution are not affected by the second issue. Note that the default
>> configuration for named(8) in FreeBSD allows local access only (which on
>> many systems is equivalent to refusing access to untrusted users).
>
> From ISC's advisary (which I authored).
>
> Workaround:
>
> Disable / restrict recursion (to limit exposure).
Considering that the only FreeBSD systems which permit recursive queries are
those which have been specifically configured to do so, I don't consider this
to be a workaround. DoS by administrator is no better than DoS by attacker.
Colin Percival
More information about the freebsd-security
mailing list