Brett Glass wrote: > At 02:24 PM 7/21/2008, Kevin Oberman wrote: > > > Don't forget that ANY server that caches data, including an end system > > running a caching only server is vulnerable. > > Actually, there is an exception to this. A "forward only" > cache/resolver is only as vulnerable as its forwarder(s). This is a > workaround for the vulnerability for folks who have systems that they > cannot easily upgrade: point at a trusted forwarder that's patched. > > We're also looking at using dnscache from the djbdns package.
I'm curious, is djbdns exploitable, too? Does it randomize the source ports of UDP queries? > Of course, all solutions that randomize ports are really just > "security by obscurity," because by shuffling ports you're hiding the > way to poison your cache... a little. True, but there is currently no better solution, AFAIK. The problem is inherent in the way DNS queries work. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "That's what I love about GUIs: They make simple tasks easier, and complex tasks impossible." -- John William Chambless _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
