cache poisoning counter-measures
Alan Clegg
Alan_Clegg at isc.org
Mon Jan 5 04:34:22 UTC 2009
Chris Henderson wrote:
> I'm trying to implement some basic counter-measures against the
> Kaminsky bug. I have had to configure my switch to allow any incoming
> query to TCP and UDP port 53 on my slave DNS server. I was wondering
> if this is going to cause any problem as far as security is concerned.
>
> Bind version 9.4.1 running in chroot jail.
Upgrade to 9.5.1 or better and randomize your query source port numbers.
There are no other "basic counter-measures" for servers doing recursion.
AlanC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090104/570a94c9/attachment.bin>
More information about the bind-users
mailing list