[105890] in North American Network Operators' Group
Re: Multiple DNS implementations vulnerable to cache poisoning
daemon@ATHENA.MIT.EDU (Jay R. Ashworth)
Wed Jul 9 09:17:02 2008
Date: Wed, 9 Jul 2008 09:16:53 -0400
From: "Jay R. Ashworth" <jra@baylink.com>
To: nanog@nanog.org
In-Reply-To: <48747955.20906@vaxination.ca>
Errors-To: nanog-bounces@nanog.org
On Wed, Jul 09, 2008 at 04:39:49AM -0400, Jean-Fran?ois Mezei wrote:
> My DNS server made the various DNS requests from the same port and is
> thus vulnerable. (VMS TCPIP Services so no patches expected).
Well, yes, but unless I've badly misunderstood the situation, all
that's necessary to mitigate this bug is to interpose a non-buggy
recursive resolver between the broken machine and the Internet at
large, right?
So just make sure your corporate/campus edge router has a reasonable
named on it, and point everything broken at that, and you should be ok,
even though, as you note, DEC won't be updating VMS any time soon. :-)
Cheers,
-- jr 'Compaq? No, that's HP now, isn't it?' a
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Those who cast the vote decide nothing.
Those who count the vote decide everything.
-- (Joseph Stalin)
