On Tue, Jul 22, 2008 at 2:32 PM, Eugen Leitl <[EMAIL PROTECTED]> wrote: > > http://www.provos.org/index.php?/pages/dnstest.html > > DNS Resolver Test > > For secure name resolution, it is important that your DNS resolver uses > random source ports. The box below will tell you if there is something you > need to worry about. > > Your DNS Resolver needs to be updated. >
I'll put a new blog post up later today with in depth info now that the cat's out of the bag on this. In short: - the dnsmasq update is good, but not related to this at all - dnsmasq doesn't issue recursive queries, so you don't have to update it. - if you're using the DNS forwarder on pfSense, whether or not you're vulnerable depends on what servers it relies on for answering queries. Unless you specify otherwise, this is your ISP. - if your recursive servers are behind pfSense doing NAT with a default NAT configuration, you're fine even *without* patching your DNS servers. Note this is only true if pfSense is the *only* thing doing NAT - see thread yesterday on one of the lists where someone who was double NATing was blaming pfSense for something that some commercial box was doing wrong when pfSense was behaving fine. - if you're using the DNS server package on pfSense, it's djbdns, and it never was vulnerable to this. What you're likely seeing above (though you've left out details) is your ISP hasn't fixed their DNS servers. If your ISP is still vulnerable, switch to OpenDNS and you're fine.
