[106136] in North American Network Operators' Group
Re: SANS: DNS Bug Now Public?
daemon@ATHENA.MIT.EDU (Joe Abley)
Wed Jul 23 14:20:32 2008
From: Joe Abley <jabley@ca.afilias.info>
To: Jorge Amodio <jmamodio@gmail.com>
In-Reply-To: <202705b0807230916i67de3740x3fa471dc289f1832@mail.gmail.com>
Date: Wed, 23 Jul 2008 13:11:18 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On 23 Jul 2008, at 12:16, Jorge Amodio wrote:
> Let me add that folks need to understand that the "patch" is not a
> fix to a
> problem that has been there for long time and
> it is just a workaround to reduce the chances for a potential
> attack, and it must be combined with best practices and
> recommendations to implent a more robust DNS setup.
Having just seen some enterprise types spend time patching their
nameservers, it's also perhaps worth spelling out that "patch" in this
case might require more than upgrading resolver code -- it could also
involve reconfigurations, upgrades or replacements of NAT boxes too.
If your NAT reassigns source ports in a predictable fashion, then no
amount of BIND9 patching is going to help.
(Reconfiguring your internal resolvers to forward queries to an
external, patched resolver which can see the world other than through
NAT-coloured glasses may also be a way out.)
Joe
