Marty, You're right, none of the BIND server stuff relates to you - I think AT&T should be able to upgrade their servers in time, if they haven't already. We're only discussing it because you brought it up.
If you want to check on AT&T's progress, execute this command [assuming you have dig installed]: dig +short porttest.dns-oarc.net TXT This will test your default resolver (AT&T's) and give you a readout of whether their server is still vulnerable. If it is, this affects you, because a successful attack on their resolver is an attack on you. My original question, about glibc's stub resolver, has already been answered by Robert. Chris Buxton Professional Services Men & Mice On Jul 15, 2008, at 7:41 AM, marty wrote: >> >> You're using a resolving name server somewhere. That resolving name >> server almost certainly has a cache. > > I only use my ISP's resolvers which do have caches, but > that's AT&T problem, not mine. > >> >>>> I don't provide recursive DNS to the public. >> >> Does it provide recursive DNS service to anyone? To you? If so, your >> recursion restriction does not protect you. > > No. I only serve authoratative DNS, but with a split horizon > for the stuff on private IPs too. It has a DNS proxy that > passes recursion to my ISP, and only when I enable that for > maintenance purposes. Otherwise, SERVFAIL is all ya get. > > Likewise, my other subnets are managed in a similar manner. > I have ALWAYS distrusted cacheing resolvers and am loathe to > run one myself. > >>>> Source ports are randomized by design in my software. >> >> If you use BIND as a resolving name server, the versions available >> before last Tuesday did not change their randomized ports between >> queries. > > I wouldn't use BIND on a bet. I use PowerDNS and I do not > build the recurser/resolver part either. > >> >>>> Everything is behind firewalls on Nat. And I use HLFS. >> >> None of that will help you in the slightest if you run a resolving >> name server based on BIND. >> > > But I don't run BIND, do I? > > None of these things you say seem to relate to my situation. > Must be a coincidence... > > Marty B. > > > -- > Electile Dysfunction : the inability to become aroused over > any of the > choices for President put forth by either party in the 2008 > election. > > -- > http://linuxfromscratch.org/mailman/listinfo/hlfs-dev > FAQ: http://www.linuxfromscratch.org/faq/ > Unsubscribe: See the above information page -- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
