FreeBSD 7.1 and BIND exploit
Kevin Oberman
oberman at es.net
Mon Jul 21 20:34:54 UTC 2008
> From: Max Laier <max at love2party.net>
> Date: Mon, 21 Jul 2008 21:38:46 +0200
> Sender: owner-freebsd-stable at freebsd.org
>
> On Monday 21 July 2008 21:14:22 Doug Barton wrote:
> > Brett Glass wrote:
> > | Everyone:
> > |
> > | Will FreeBSD 7.1 be released in time to use it as an upgrade to
> > | close the BIND cache poisoning hole?
> >
> > Brett, et al,
> >
> > I'll make this simple for you. If you have a server that is running
> > BIND, update BIND now. If you need to use the ports, that's fine, just
> > do it now. Make sure that you are not specifying a port via any
> > query-source* options in named.conf, and that any firewall between
> > your named process and the outside world does keep-state on outgoing
> > UDP packets.
>
> ... and that any NAT device employs at least a somewhat random port
> allocation mechanism - pf provides this.
And, if you are not sure how good a job it does (and I am not), you
should use the OARC test to check how well it works:
dig +short porttest.dns-oarc.net TXT
If the result is not "GOOD", it's not good enough.
You can test a remote server by adding "@remote-server" to the dig
command. The server may be specified by name or IP address.
Don't forget that ANY server that caches data, including an end system
running a caching only server is vulnerable.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 224 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20080721/66e5bb28/attachment-0001.pgp
More information about the freebsd-stable
mailing list