[105891] in North American Network Operators' Group
Re: Multiple DNS implementations vulnerable to cache poisoning
daemon@ATHENA.MIT.EDU (Simon Waters)
Wed Jul 9 09:38:55 2008
From: Simon Waters <simonw@zynet.net>
To: nanog@nanog.org
Date: Wed, 9 Jul 2008 14:38:38 +0100
In-Reply-To: <20080709131653.GC31722@cgi.jachomes.com>
Errors-To: nanog-bounces@nanog.org
On Wednesday 09 July 2008 14:16:53 Jay R. Ashworth wrote:
> On Wed, Jul 09, 2008 at 04:39:49AM -0400, Jean-Fran?ois Mezei wrote:
> > My DNS server made the various DNS requests from the same port and is
> > thus vulnerable. (VMS TCPIP Services so no patches expected).
>
> Well, yes, but unless I've badly misunderstood the situation, all
> that's necessary to mitigate this bug is to interpose a non-buggy
> recursive resolver between the broken machine and the Internet at
> large, right?
He said "DNS server", which you wouldn't want to point at a correct named,
because that would be forwarding, and forwarding has its own security issues.
I've already dragged a name server here back to a supported OS version today
because of this, don't see why others should escape ;)
