[105892] in North American Network Operators' Group
Re: Multiple DNS implementations vulnerable to cache poisoning
daemon@ATHENA.MIT.EDU (Jay R. Ashworth)
Wed Jul 9 10:18:21 2008
Date: Wed, 9 Jul 2008 10:18:04 -0400
From: "Jay R. Ashworth" <jra@baylink.com>
To: nanog@nanog.org
In-Reply-To: <200807091438.38443.simonw@zynet.net>
Errors-To: nanog-bounces@nanog.org
On Wed, Jul 09, 2008 at 02:38:38PM +0100, Simon Waters wrote:
> On Wednesday 09 July 2008 14:16:53 Jay R. Ashworth wrote:
> > On Wed, Jul 09, 2008 at 04:39:49AM -0400, Jean-Fran?ois Mezei wrote:
> > > My DNS server made the various DNS requests from the same port and is
> > > thus vulnerable. (VMS TCPIP Services so no patches expected).
> >
> > Well, yes, but unless I've badly misunderstood the situation, all
> > that's necessary to mitigate this bug is to interpose a non-buggy
> > recursive resolver between the broken machine and the Internet at
> > large, right?
>
> He said "DNS server", which you wouldn't want to point at a correct named,
> because that would be forwarding, and forwarding has its own security issues.
Assuming that he actually meant "name server" and not "the resolver
library on my VMS machine" -- lots of Unix boxes don't run a local
named either. No offense to JF...
> I've already dragged a name server here back to a supported OS version today
> because of this, don't see why others should escape ;)
Well, in his case, for the same reason that no one will be upgrading
the resolver library on Win98 if it's broke, I think.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Those who cast the vote decide nothing.
Those who count the vote decide everything.
-- (Josef Stalin)
