Package: bind9 Severity: normal Tags: security
Good day, > From CVE-2006-0987 : > The default configuration of ISC BIND, when configured as a caching > name server, allows recursive queries and provides additional > delegation information to arbitrary IP addresses, which allows remote > attackers to cause a denial of service (traffic amplification) via > DNS queries with spoofed source IP addresses. References : http://www.securityfocus.com/archive/1/archive/1/426368/100/0/threaded http://dns.measurement-factory.com/surveys/sum1.html http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf I've checked that default install on debian allows recursive queries but I'm not sure if this is really a problem or not. The workaround I can see would be to listen only on loopback for non-authoritative queries (as djbdns do) if we want to have a caching server (with recursion) by default. But I'm far from being a DNS expert so perhaps I've missed something... Regards PS: I've open the same bug for bind8, see #355787 -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-2-686 Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

