Vulnerability to cache poisoning -- the rest of the solution

Jeff Lightner jlightner at water.com
Mon Jul 14 15:32:05 UTC 2008 

OK maybe I missed something.

We were only allowing port 53 outside the firewall (confirmed by the
Network folks).   We've been doing lookups for external sites fine
despite that.   Was the discussion in current thread about that or
something else?

You mention transfer.   The only transfers I'm aware of are on a
separate interface (internal DMZ) for zone transfers between master and
slave DNS servers.   

Also my Network admin is asking for clarification of what needs to be
opened for the port randomization.   He thinks it should only be ports
above 1024.
1)  Is that correct?  If not is there a range that is correct?
2)  Is this udp AND tcp?   
Earlier posts had led me to believe it was only udp but the current
thread makes it sound like it should be both.

He's ready to open whatever I tell him but I don't see any point in
opening up ports that won't be used.

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Alan Clegg
Sent: Monday, July 14, 2008 10:44 AM
To: bind-users at isc.org
Subject: Re: Vulnerability to cache poisoning -- the rest of the
solution

Jeff Lightner wrote:
> If that's the case why wouldn't we have needed to open firewall to
allow
> this behavior for tcp?
You would have.  Unless you never had (functional) DNS queries/transfers
over TCP.

AlanC
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------



The information contained in this message and any attachment may be
proprietary, confidential, and privileged or subject to the work
product doctrine and thus protected from disclosure.  If the reader
of this message is not the intended recipient, or an employee or
agent responsible for delivering this message to the intended
recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify me
immediately by replying to this message and deleting it and all
copies and backups thereof.  Thank you.

More information about the bind-users mailing list