Vulnerability to cache poisoning -- the rest of the solution
Vyto Grigaliunas
vyto at fnal.gov
Mon Jul 14 20:20:49 UTC 2008
Yep...
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Baird, Josh
> Sent: Monday, July 14, 2008 2:29 PM
> To: Jeff Lightner; Peter Laws; bind-users at isc.org
> Subject: RE: Vulnerability to cache poisoning -- the rest of the solution
>
> Is anyone else getting all kinds of duplicate messages that were sent
> hours ago?
>
>
>
>
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Jeff Lightner
> Sent: Monday, July 14, 2008 11:36 AM
> To: Peter Laws; bind-users at isc.org
> Subject: RE: Vulnerability to cache poisoning -- the rest of the
> solution
>
> You ignored the rest of what I wrote apparently.
>
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Peter Laws
> Sent: Monday, July 14, 2008 12:15 PM
> To: bind-users at isc.org
> Subject: Re: Vulnerability to cache poisoning -- the rest of the
> solution
>
> Jeff Lightner wrote:
> > OK maybe I missed something.
> >
> > We were only allowing port 53 outside the firewall (confirmed by the
> > Network folks). We've been doing lookups for external sites fine
> > despite that. Was the discussion in current thread about that or
> > something else?
> Are your *outbound* connections restricted by the firewall to udp/53?
> Or
> was your security admin talking about *inbound* connections?
>
> All the hullabaloo is about random source ports for DNS servers doing
> recursive lookups on behalf of clients. The randomness of port choice
> has
> been improved (hasn't it?) with the recent patches.
>
> You also need to make sure your BIND config doesn't pin it to a
> particular
> port (53 or otherwise).
>
> --
> Peter Laws / N5UWY
> National Weather Center / Network Operations Center
> University of Oklahoma Information Technology
> plaws at ou.edu
> -----------------------------------------------------------------------
> Feedback? Contact my director, Craig Cochell, craigc at ou.edu. Thank you!
> ----------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
> confidential information and is for the sole use of the intended
> recipient(s). If you are not the intended recipient, any disclosure,
> copying, distribution, or use of the contents of this information is
> prohibited and may be unlawful. If you have received this electronic
> transmission in error, please reply immediately to the sender that you
> have received the message in error, and delete it. Thank you.
> ----------------------------------
>
>
>
> The information contained in this message and any attachment may be
> proprietary, confidential, and privileged or subject to the work
> product doctrine and thus protected from disclosure. If the reader
> of this message is not the intended recipient, or an employee or
> agent responsible for delivering this message to the intended
> recipient, you are hereby notified that any dissemination,
> distribution or copying of this communication is strictly prohibited.
> If you have received this communication in error, please notify me
> immediately by replying to this message and deleting it and all
> copies and backups thereof. Thank you.
>
>
>
More information about the bind-users
mailing list