nanog mailing list archives

Re: Multiple DNS implementations vulnerable to cache poisoning

From: "Jay R. Ashworth" <jra () baylink com>
Date: Wed, 9 Jul 2008 10:18:04 -0400

On Wed, Jul 09, 2008 at 02:38:38PM +0100, Simon Waters wrote:

On Wednesday 09 July 2008 14:16:53 Jay R. Ashworth wrote:

On Wed, Jul 09, 2008 at 04:39:49AM -0400, Jean-Fran?ois Mezei wrote:

My DNS server made the various DNS requests from the same port and is
thus vulnerable. (VMS TCPIP Services so no patches expected).


Well, yes, but unless I've badly misunderstood the situation, all
that's necessary to mitigate this bug is to interpose a non-buggy
recursive resolver between the broken machine and the Internet at
large, right?


He said "DNS server", which you wouldn't want to point at a correct named, 
because that would be forwarding, and forwarding has its own security issues.


Assuming that he actually meant "name server" and not "the resolver
library on my VMS machine" -- lots of Unix boxes don't run a local
named either.  No offense to JF...

I've already dragged a name server here back to a supported OS version today 
because of this, don't see why others should escape ;)


Well, in his case, for the same reason that no one will be upgrading
the resolver library on Win98 if it's broke, I think.

Cheers,
-- jra
-- 
Jay R. Ashworth                   Baylink                      jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com                     '87 e24
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274

             Those who cast the vote decide nothing.
             Those who count the vote decide everything.
               -- (Josef Stalin)

Current thread:

Re: Multiple DNS implementations vulnerable to cache poisoning, (continued)
- - - Re: Multiple DNS implementations vulnerable to cache poisoning Lynda (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Owen DeLong (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Christian Koch (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jimmy Hess (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jean-François Mezei (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Chris Adams (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Michael C. Toren (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jean-François Mezei (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Simon Waters (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Tuc at T-B-O-H.NET (Jul 11)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Brian Keefer (Jul 25)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Joe Greco (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Lynda (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jeffrey Ollie (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Steven M. Bellovin (Jul 09)
  - Re: Multiple DNS implementations vulnerable to cache poisoning Christopher Morrow (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Steven M. Bellovin (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Christopher Morrow (Jul 09)

(Thread continues...)