[12562] in bugtraq
Re: your mail
daemon@ATHENA.MIT.EDU (Alan Brown)
Sat Nov 13 21:24:13 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.05.9911130841140.7131-100000@mailhost.manawatu.net.nz>
Date: Sat, 13 Nov 1999 08:41:49 +1300
Reply-To: Alan Brown <alan@MANAWATU.GEN.NZ>
From: Alan Brown <alan@MANAWATU.GEN.NZ>
X-To: Brian Wellington <bwelling@TISLABS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.9911111415130.18963-100000@spiral.gw.tislabs.com>
On Thu, 11 Nov 1999, Brian Wellington wrote:
> Caching-only servers are also vulnerable. The NXT record is no different
> that any other DNS record in this case. If someone is able to make your
> server fetch a maliciously-constructed NXT record, it will cause problems.
> A query to a caching server will force the server to send a recursive
> query, which makes the caching server vulnerable.
All the more reason to define local IP ranges and restrict allow-query
to those ranges only by default.
AB
