Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
From: Wolfgang Jeltsch <7o2lccqg@acme.softbase.org>
Date: Wed, 9 Jul 2008 18:10:51 +0200
Message-id: <200807091810.51330.7o2lccqg@acme.softbase.org>
In-reply-to: <87myks4886.fsf@mid.deneb.enyo.de>
References: <87myks4886.fsf@mid.deneb.enyo.de>

Am Dienstag, 8. Juli 2008 19:05 schrieb Florian Weimer:
> […]

> At this time, it is not possible to implement the recommended
> countermeasures in the GNU libc stub resolver.

Hello,

I don’t have bind9 installed.  Am I affected by the libc stub resolver bug?

> The following workarounds are available:
>
> 1. Install a local BIND 9 resoler on the host, possibly in
> forward-only mode.  BIND 9 will then use source port randomization
> when sending queries over the network.  (Other caching resolvers can
> be used instead.)
>
> 2. Rely on IP address spoofing protection if available.  Successful
> attacks must spoof the address of one of the resolvers, which may not
> be possible if the network is guarded properly against IP spoofing
> attacks (both from internal and external sources).

Is it okay to apply only workaround 2?  Is my server guarded properly against 
IP spoofing attacks (both from internal and external sources) if the content 
of /proc/sys/net/ipv4/conf/all/rp_filter is 1?

> […]

Best wishes,
Wolfgang

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: Noah Meyerhans <noahm@debian.org>

Prev by Date: DNS Cache poisoning and pdnsd
Next by Date: Re: DNS Cache poisoning and pdnsd
Previous by thread: Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Next by thread: Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Index(es):
- Date
- Thread