Here are some simple instructions you can follow to upgrade your OpenBSD DNS server running a no longer supported version of OpenBSD in case you are concerned about the recent cache poisoning vulnerability. I cannot vouch for the reliability of running a newer version of BIND on an older version of OpenBSD but it appears stable running the 4.3 BIND on a 3.8 system.
Please expect your kernel to send you hate mail, your keyboard keys to pop out, and your network card to drop every other packet if you follow these procedures. Step 1 Determine you really cannot upgrade to a recent version of OpenBSD. Step 2 Verify your DNS server is vulnerable dig txt +short porttest.dns-oarc.net @YOUR_SERVER Look for the response. If it does not say GREAT you are probably vulnerable. Step 3 mkdir /tmp/4.3 cd /tmp/4.3 wget ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/004_bind.patch wget ftp://ftp.openbsd.org/pub/OpenBSD/4.3/src.tar.gz tar zxf src.tar.gz patch -p0 < 004_bind.patch cd usr.sbin/bind make -f Makefile.bsd-wrapper obj make -f Makefile.bsd-wrapper sudo make -f Makefile.bsd-wrapper install sudo kill -TERM `cat /var/run/named.pid` sudo named -t /var/named Step 4 Verify you are no longer vulnerable dig txt +short porttest.dns-oarc.net @YOUR_SERVER Now this should respond back with "GREAT". You can visit https://www.dns-oarc.net/ for more info about the testing procedure. _______________________________________________ Openbsd-newbies mailing list [email protected] http://mailman.theapt.org/listinfo/openbsd-newbies
