cache poisoning counter-measures
Doug Barton
dougb at dougbarton.us
Mon Jan 5 04:38:35 UTC 2009
Chris Henderson wrote:
> I'm trying to implement some basic counter-measures against the
> Kaminsky bug. I have had to configure my switch to allow any incoming
> query to TCP and UDP port 53 on my slave DNS server. I was wondering
> if this is going to cause any problem as far as security is concerned.
>
> Bind version 9.4.1 running in chroot jail.
First off, 9.4.3 has been out for a while now, and has query source
port randomization features that you want. You should read more about
it on the ISC web site.
Second, it's not clear what you're trying to accomplish. If the hosts
that will be querying this name server are inside the firewall, there
is no reason that you should have to open port 53 from the outside
world (except perhaps from the master name server(s)).
To intelligently answer your question you're going to have to provide
more details.
Doug
More information about the bind-users
mailing list