cache poisoning counter-measures
Matus UHLAR - fantomas
uhlar at fantomas.sk
Mon Jan 5 11:46:44 UTC 2009
On 05.01.09 15:29, Chris Henderson wrote:
> I'm trying to implement some basic counter-measures against the
> Kaminsky bug. I have had to configure my switch to allow any incoming
> query to TCP and UDP port 53 on my slave DNS server. I was wondering
> if this is going to cause any problem as far as security is concerned.
>
> Bind version 9.4.1 running in chroot jail.
The bug does not lie server operations. It lies in client operations. While
people are querying your slave server, you have no problem. If you send
recursive queries to the mentioned name server, and it sends queries out,
that is a problem. It must send queries from randomised ports, which means,
that not only packets to tcp/udp port 53 from outside must be allowed, but
packets from any port on your server to tcp/udp 53 anywhere must be allowed
and also packets from tcp/udp port 53 anywhere to any port on your server
must be allowed.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
More information about the bind-users
mailing list