Paul Vixie wrote: > an auditor just found that one of my recursive nameservers was vulnerable > to kaminsky-style cache poisoning. this is one of my personal servers, so > it was quite embarrassing. upon inspection it turned out i was running the > stock BIND that came with FreeBSD 4.11. this is BIND8. The cobbler's children have no shoes.
I discovered that my mail server was running an old version of BIND. Not at old as Paul's, but still old enough. No clients pointed to it, but it was running a vulnerable version with a configuration that would have allowed it to be poisoned. Please, look at all of your outbound traffic that has destination port 53 and make sure that the machines generating that traffic are patched appropriately. Consider where machines might be hiding that system administrators might have turned on recursive servers to reduce load elsewhere. AlanC
