[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

On Tue, 08 Jul 2008, Florian Weimer wrote:
> 1. Install a local BIND 9 resoler on the host, possibly in
> forward-only mode.  BIND 9 will then use source port randomization
> when sending queries over the network.  (Other caching resolvers can
> be used instead.)
> 2. Rely on IP address spoofing protection if available.  Successful
> attacks must spoof the address of one of the resolvers, which may not
> be possible if the network is guarded properly against IP spoofing
> attacks (both from internal and external sources).

3. Install lwresd from an updated BIND9, install libnss-lwres, and replace
"dns" with "lwres" in /etc/nsswitch.conf.   Make sure to restart lwres when
/etc/resolv.conf changes.

However, expect applications that require DNS round-robin in the resolver to
break (just like they break with the libc resolver with A record ordering

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: