Package: bind9
Severity: normal
Tags: security

Good day,

> From CVE-2006-0987 :

>  The default configuration of ISC BIND, when configured as a caching
>  name server, allows recursive queries and provides additional
>  delegation information to arbitrary IP addresses, which allows remote
>  attackers to cause a denial of service (traffic amplification) via
>  DNS queries with spoofed source IP addresses.

References : 

http://www.securityfocus.com/archive/1/archive/1/426368/100/0/threaded
http://dns.measurement-factory.com/surveys/sum1.html
http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf

I've checked that default install on debian allows recursive queries but
I'm not sure if this is really a problem or not. 

The workaround I can see would be to listen only on loopback for
non-authoritative queries (as djbdns do) if we want to have a caching
server (with recursion) by default.

But I'm far from being a DNS expert so perhaps I've missed something...

Regards

PS: I've open the same bug for bind8, see #355787

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to