nanog mailing list archives

Re: Multiple DNS implementations vulnerable to cache poisoning

From: Simon Waters <simonw () zynet net>
Date: Wed, 9 Jul 2008 14:38:38 +0100

On Wednesday 09 July 2008 14:16:53 Jay R. Ashworth wrote:

On Wed, Jul 09, 2008 at 04:39:49AM -0400, Jean-Fran?ois Mezei wrote:

My DNS server made the various DNS requests from the same port and is
thus vulnerable. (VMS TCPIP Services so no patches expected).


Well, yes, but unless I've badly misunderstood the situation, all
that's necessary to mitigate this bug is to interpose a non-buggy
recursive resolver between the broken machine and the Internet at
large, right?


He said "DNS server", which you wouldn't want to point at a correct named, 
because that would be forwarding, and forwarding has its own security issues.

I've already dragged a name server here back to a supported OS version today 
because of this, don't see why others should escape ;)

Current thread:

Re: Multiple DNS implementations vulnerable to cache poisoning, (continued)
- - Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Lynda (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Owen DeLong (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Christian Koch (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jimmy Hess (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jean-François Mezei (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Chris Adams (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Michael C. Toren (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jean-François Mezei (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Simon Waters (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Tuc at T-B-O-H.NET (Jul 11)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Brian Keefer (Jul 25)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Joe Greco (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Lynda (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jeffrey Ollie (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Steven M. Bellovin (Jul 09)
  - Re: Multiple DNS implementations vulnerable to cache poisoning Christopher Morrow (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Steven M. Bellovin (Jul 09)

(Thread continues...)