On Thu, 10 Jul 2008, Jenkinson, John P (SAIC) wrote:
> very good points
> what i was attempting to say is if any DNS server used to resolve a name
> is vulnerable then ther's a possibility the response can be poisoned.
True, if you're forwarding queries. The default caching DNS server should
only be talking to authoritative DNS servers, though, which eliminates cache
poisoning from the get-go.
> also
> changing the behaviour of ports in use by dns/bind can cause more
> problems than
> the patch fixes. selinux is being reported to cause problems after the
> patch.
Really? I wouldn't think that's the problem. Since bind 8 (I think) even
they used high numbered ports for their outbound resolution requests, the
problem lied in that they reused the ports on a per-client basis, rather
than randomizing each port per-request. Given that bind is already using a
number of unprivileged ports I would think they would be in the clear from
SELinux. But, I'll have to defer to those actually running it. ;-)
> also
> reports are that checkpoint reorders the ports in sequential order if
> application
> intelligence is not turned on. so you patch, fix selinux then the ports
> used
> outa the firewall are sequential.
<G> That definitely doesn't help.
> DNS is a high value service. patching should be tempered with caution.
> BUT the vulnerability was significant enough to get cooperation of lotsa
> vendors
> like microsoft and ISC to cooperate on the patch release.
Very true, and it's extremely rare to see such a massive coordinated release
across so many vendors. This guys proof-of-concept must be very compelling,
scary, or both. :-)
BTW: for those wanting to delve into DNS attacks, a good introduction can be
found here:
http://www.lurhq.com/dnscache.pdf
--Arthur Corliss
Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Jul 10 09:51:16 2008
This archive was generated by hypermail 2.1.8 : Thu Jul 10 2008 - 09:51:16 AKDT