> From: Max Laier <[EMAIL PROTECTED]> > Date: Mon, 21 Jul 2008 21:38:46 +0200 > Sender: [EMAIL PROTECTED] > > On Monday 21 July 2008 21:14:22 Doug Barton wrote: > > Brett Glass wrote: > > | Everyone: > > | > > | Will FreeBSD 7.1 be released in time to use it as an upgrade to > > | close the BIND cache poisoning hole? > > > > Brett, et al, > > > > I'll make this simple for you. If you have a server that is running > > BIND, update BIND now. If you need to use the ports, that's fine, just > > do it now. Make sure that you are not specifying a port via any > > query-source* options in named.conf, and that any firewall between > > your named process and the outside world does keep-state on outgoing > > UDP packets. > > ... and that any NAT device employs at least a somewhat random port > allocation mechanism - pf provides this.
And, if you are not sure how good a job it does (and I am not), you should use the OARC test to check how well it works: dig +short porttest.dns-oarc.net TXT If the result is not "GOOD", it's not good enough. You can test a remote server by adding "@remote-server" to the dig command. The server may be specified by name or IP address. Don't forget that ANY server that caches data, including an end system running a caching only server is vulnerable. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
pgpLrCTf4xVR4.pgp
Description: PGP signature