do not run old versions of bind any more please!
Alan Clegg
Alan_Clegg at isc.org
Fri Jul 25 15:33:00 UTC 2008
Paul Vixie wrote:
> an auditor just found that one of my recursive nameservers was vulnerable
> to kaminsky-style cache poisoning. this is one of my personal servers, so
> it was quite embarrassing. upon inspection it turned out i was running the
> stock BIND that came with FreeBSD 4.11. this is BIND8.
The cobbler's children have no shoes.
I discovered that my mail server was running an old version of BIND.
Not at old as Paul's, but still old enough. No clients pointed to it,
but it was running a vulnerable version with a configuration that would
have allowed it to be poisoned.
Please, look at all of your outbound traffic that has destination port
53 and make sure that the machines generating that traffic are patched
appropriately. Consider where machines might be hiding that system
administrators might have turned on recursive servers to reduce load
elsewhere.
AlanC
More information about the bind-users
mailing list