Vulnerability to cache poisoning -- the rest of the solution
Baird, Josh
jbaird at follett.com
Mon Jul 14 13:48:04 UTC 2008
Ignore this.. I found my answer in the ARM:
" The address specified in the query-source option is used for both UDP
and TCP queries, but the port applies only to UDP queries. TCP queries
always use a random unprivileged port."
Thanks,
Josh
-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Baird, Josh
Sent: Monday, July 14, 2008 8:28 AM
To: Michael Coumerilh; Alan Clegg
Cc: bind-users at isc.org
Subject: RE: Vulnerability to cache poisoning -- the rest of the
solution
Will BIND randomize query TCP source ports as well (when TCP is
required) with these new patches?
Thanks,
Josh
On Jul 11, 2008, at 5:12 PM, Alan Clegg wrote:
> Peter Laws wrote:
>>> For now, randomize your query source ports. Please.
>>
>> Is that something you have to positively do (i.e., not a default),
>> or does
>> it happen automagically with the updated BIND(s)?
>
> It's automatic in 9.3.5-P1, 9.4.2-P1, and 9.5.0-P1 (and the current
> betas) unless you tell it otherwise by using BAD things like:
>
> udp-source port XX;
>
> in your configuration.
>
> Notice that if you have a line like the above in your current
> configuration and are behind a firewall, there may be rules in place
> that made that line necessary. Check with your firewall admin to make
> sure that "random outbound UDP ports" are open from your nameserver to
> the outside world.
>
> AlanC
>
>
>
More information about the bind-users
mailing list