FreeBSD 7.1 and BIND exploit

Mark Andrews Mark_Andrews at isc.org
Wed Jul 23 01:58:10 UTC 2008 

> On Tue, Jul 22, 2008 at 05:52:42PM +0200, Oliver Fromme wrote:
> > Brett Glass wrote:
> >  > At 02:24 PM 7/21/2008, Kevin Oberman wrote:
> >  > 
> >  > > Don't forget that ANY server that caches data, including an end system
> >  > > running a caching only server is vulnerable.
> >  >
> >  > Actually, there is an exception to this. A "forward only"
> >  > cache/resolver is only as vulnerable as its forwarder(s). This is a
> >  > workaround for the vulnerability for folks who have systems that they
> >  > cannot easily upgrade: point at a trusted forwarder that's patched.
> >  >
> >  > We're also looking at using dnscache from the djbdns package.
> > 
> > I'm curious, is djbdns exploitable, too?  Does it randomize
> > the source ports of UDP queries?
> 
>   AFAIK Dan Bernstein first spelled out the fundamental problems with
> DNS response forgery in 2001.  He implemented dnscache to randomize
> source ports and IDs from the beginning, via a cryptographic quality
> RNG.  See for instance this page, much of it written in 2003:
> 
>   <http://cr.yp.to/djbdns/forgery.html>

	And the IETF was working on a solution well before that.
	One that addressed not only off path attacks but also
	addressed on path attacks.   One that worked with kernels
	that only supported limited numbers of file desriptors.
	One that worked regardless on the number of concurrent
	outstanding queries.

	That solution is called DNSSEC.  We looked at what Dan did
	and said it didn't go far enough and that it has implementation
	issues at high query rates that can't be solved just by
	throwing more cpu at the problem.  The problems are inherent
	to how UDP works.
 
>   He rubs a lot of people the wrong way, but I think he has usually
> proved to be right on security issues.

	Dan is often right.  However a different, more encompassing,
	solution was choosen.

>   I also think that modular design of security-sensitive tools is the
> way to go, with his DNS tools as with Postfix.
>   -- Clifton
> 
> -- 
>     Clifton Royston  --  cliftonr at iandicomputing.com / cliftonr at lava.net
>        President  - I and I Computing * http://www.iandicomputing.com/
>  Custom programming, network design, systems and network consulting services
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the freebsd-stable mailing list