Vulnerability to cache poisoning -- the rest of the solution
Alan Clegg
Alan_Clegg at isc.org
Fri Jul 11 12:06:45 UTC 2008
Twice in the last two days, I've seen people post their named.conf files
(or snippets there-of) and they have contained lines similar to the
following:
> query-source port 53;
> query-source-v6 port 53;
These lines specifically "undo" the port randomization that is included
in the current -P1 and beta code required for securing your servers from
cache poisoning.
It is not enough to install the patched code! You also MUST remove the
restrictions on the ports that your queries use when leaving your system.
Be aware that this may entail getting some cooperation from your
firewall administrators, but this is VITAL to the resilience of your
servers against the new attack vector.
Please, if you have QUERY-SOURCE PORT XX statements in your
configuration files, work quickly to remove them.
Thanks,
AlanC
More information about the bind-users
mailing list