Recent Pharming Attacks
jlanawalt at gmail.com
jlanawalt at gmail.com
Tue Apr 19 17:43:44 UTC 2005
Simon wrote:
>
> BIND should default to being safe from poisoning, as any sensible DNS
> server software should.
Recent BIND versions protect against out of zone response poisoning,
but I don't think allow-recursion or allow-query are restricted by
default. Without setting one of those appropriatly you are still
vulnerable to another cache poisoning vector based on spoofed
responses.
Appropriate settings for these values have been discussed in threads
around this one. Basically you should only allow-recursion to systems
on your network (ie your users) or you should only allow-query to that
same set but make sure your public zones allow-query all.
Having a non-recursive public server for your public zones and a
private/protected caching only name server that only your network can
access can go a long ways towards protecting against these kinds of
attacks.
--
Jacob
- Testing Google Groups. I hope the threading is OK.
More information about the bind-users
mailing list