BIND 9.5.0 Unpatched - Passes DNS-OARC and Doxpara Tests
Jeremy C. Reed
Jeremy_Reed at isc.org
Mon Jul 14 21:55:47 UTC 2008
On Mon, 14 Jul 2008, Gross, Jason D wrote:
> This might fit in the "too dumb to ask" bucket, but if my BIND servers
> are already passing the DNS-OARC and Doxpara checks, does that mean that
> my servers don't to be patched as urgently as a server that doesn't pass
> or are my servers as vulnerable as any other unpatched server? I do
> intend to patch, I'm just curious if I'm relatively safe or if I'm just
> getting a false sense of security.
>
> My feeling is that it's probably a false sense of security.
See the 9.5.0 ARM: "If port is * or is omitted, a pool of random
unprivileged ports will be used." By default there are eight random ports
which are recreated every 15 minutes. So that was good enough to trick
those tests.
Note that the queryport options will be obsoleted in 9.5.1 which uses a
random source port for every query.
More information about the bind-users
mailing list