FreeBSD 7.1 and BIND exploit
Clifton Royston
cliftonr at lava.net
Tue Jul 22 16:20:28 UTC 2008
On Tue, Jul 22, 2008 at 05:52:42PM +0200, Oliver Fromme wrote:
> Brett Glass wrote:
> > At 02:24 PM 7/21/2008, Kevin Oberman wrote:
> >
> > > Don't forget that ANY server that caches data, including an end system
> > > running a caching only server is vulnerable.
> >
> > Actually, there is an exception to this. A "forward only"
> > cache/resolver is only as vulnerable as its forwarder(s). This is a
> > workaround for the vulnerability for folks who have systems that they
> > cannot easily upgrade: point at a trusted forwarder that's patched.
> >
> > We're also looking at using dnscache from the djbdns package.
>
> I'm curious, is djbdns exploitable, too? Does it randomize
> the source ports of UDP queries?
AFAIK Dan Bernstein first spelled out the fundamental problems with
DNS response forgery in 2001. He implemented dnscache to randomize
source ports and IDs from the beginning, via a cryptographic quality
RNG. See for instance this page, much of it written in 2003:
<http://cr.yp.to/djbdns/forgery.html>
He rubs a lot of people the wrong way, but I think he has usually
proved to be right on security issues.
I also think that modular design of security-sensitive tools is the
way to go, with his DNS tools as with Postfix.
-- Clifton
--
Clifton Royston -- cliftonr at iandicomputing.com / cliftonr at lava.net
President - I and I Computing * http://www.iandicomputing.com/
Custom programming, network design, systems and network consulting services
More information about the freebsd-stable
mailing list