DNS Cache Snooping?

Jeff Lightner jlightner at water.com
Tue Jun 24 13:59:44 UTC 2008 

Adam,

Not sure you saw my original post - its not quoted below.

I'm not running views but its looking like I need to do so.  I had hoped
I'd be able to control with the internaldns ACL and adding
allow-recursion for that ACL.  

I see there is an additional-from-cache than can be disabled in an
external view.

-----Original Message-----
From: Adam Tkac [mailto:atkac at redhat.com] 
Sent: Tuesday, June 24, 2008 9:56 AM
To: Jeff Lightner
Cc: Baird, Josh; Paul Vixie; comp-protocols-dns-bind at isc.org
Subject: Re: Re: DNS Cache Snooping?

On Tue, Jun 24, 2008 at 09:34:57AM -0400, Jeff Lightner wrote:
> Thanks.  I'd pretty much come to that conclusion based on my searches.
> I guess that means the link even though it is on ISC's site is
> incorrect.
> 
> FYI:  
> Current RHEL5 bind-chroot (and other bind packages) version is
> 9.3.4-6.P1.el5.   It was updated within the last month.  It includes a
> fix for CVE-2008-0122.   I had installed a new server a week or so ago
> and got this in the yum update.   Yesterday I updated my other server
to
> this version specifically because there was a scan hit on
CVE-2008-0122.
> That scan was based on BIND version so would still peg this but the
> details at RHN confirm the fix was added by RedHat to the 9.3.4-6 P1.
> 
> Does setting to max-cache-ttl instead to a low value help remediate
the
> DNS cache snooping? 

Hi,

did you try set "recursion no;" in your external view? I didn't test
it but it might help.

Adam

-- 
Adam Tkac, Red Hat, Inc.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list