nanog mailing list archives
Re: Multiple DNS implementations vulnerable to cache poisoning
From: "Jay R. Ashworth" <jra () baylink com>
Date: Wed, 9 Jul 2008 10:18:04 -0400
On Wed, Jul 09, 2008 at 02:38:38PM +0100, Simon Waters wrote:
On Wednesday 09 July 2008 14:16:53 Jay R. Ashworth wrote:On Wed, Jul 09, 2008 at 04:39:49AM -0400, Jean-Fran?ois Mezei wrote:My DNS server made the various DNS requests from the same port and is thus vulnerable. (VMS TCPIP Services so no patches expected).Well, yes, but unless I've badly misunderstood the situation, all that's necessary to mitigate this bug is to interpose a non-buggy recursive resolver between the broken machine and the Internet at large, right?He said "DNS server", which you wouldn't want to point at a correct named, because that would be forwarding, and forwarding has its own security issues.
Assuming that he actually meant "name server" and not "the resolver library on my VMS machine" -- lots of Unix boxes don't run a local named either. No offense to JF...
I've already dragged a name server here back to a supported OS version today because of this, don't see why others should escape ;)
Well, in his case, for the same reason that no one will be upgrading the resolver library on Win98 if it's broke, I think. Cheers, -- jra -- Jay R. Ashworth Baylink jra () baylink com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin)
Current thread:
- Re: Multiple DNS implementations vulnerable to cache poisoning, (continued)
- Re: Multiple DNS implementations vulnerable to cache poisoning Lynda (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Owen DeLong (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Christian Koch (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Jimmy Hess (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Jean-François Mezei (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Chris Adams (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Michael C. Toren (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Jean-François Mezei (Jul 09)
- Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 09)
- Re: Multiple DNS implementations vulnerable to cache poisoning Simon Waters (Jul 09)
- Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 09)
- Re: Multiple DNS implementations vulnerable to cache poisoning Tuc at T-B-O-H.NET (Jul 11)
- Re: Multiple DNS implementations vulnerable to cache poisoning Brian Keefer (Jul 25)
- Re: Multiple DNS implementations vulnerable to cache poisoning Joe Greco (Jul 09)
- Re: Multiple DNS implementations vulnerable to cache poisoning Lynda (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Jeffrey Ollie (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Christopher Morrow (Jul 09)
- Re: Multiple DNS implementations vulnerable to cache poisoning Steven M. Bellovin (Jul 09)
- Re: Multiple DNS implementations vulnerable to cache poisoning Christopher Morrow (Jul 09)