2008/7/20 Mark Shroyer [EMAIL PROTECTED]:
http://blog.spoofed.org/2008/07/mitigating-dns-cache-poisoning-with-pf.html
The configuration line in question:
nat on $WAN_IF inet proto { tcp, udp } from a.b.c.d to any \
port 53 - a.b.c.d
Or, if you have a dynamic IP address on a
On 2008-09-08, Sunnz [EMAIL PROTECTED] wrote:
2008/7/20 Mark Shroyer [EMAIL PROTECTED]:
http://blog.spoofed.org/2008/07/mitigating-dns-cache-poisoning-with-pf.html
The configuration line in question:
nat on $WAN_IF inet proto { tcp, udp } from a.b.c.d to any \
port 53 - a.b.c.d
2008/9/9 Stuart Henderson [EMAIL PROTECTED]:
Yes.
But the patch is now available. You should just patch instead.
Yea but I wonder why PF isn't working here.
Yea but I wonder why PF isn't working here.
I didn't see you mention it not working in any of your posts.
What you might notice with the PF workaround is that sites like doxpara
think you're vulnerable, because queries to the same name server use the
same source port. Queries to different
Suppose:
1. Dan Kaminsky's recently announced DNS cache poisoning vulnerability
is anywhere near as serious as he and others have made it out to be,
and
2. Simple UDP source port randomization of DNS requests is indeed
sufficient to mitigate the vulnerability.
I think we have
5 matches
Mail list logo