Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Am Dienstag, 8. Juli 2008 19:05 schrieb Florian Weimer:
> At this time, it is not possible to implement the recommended
> countermeasures in the GNU libc stub resolver.
I don’t have bind9 installed. Am I affected by the libc stub resolver bug?
> The following workarounds are available:
> 1. Install a local BIND 9 resoler on the host, possibly in
> forward-only mode. BIND 9 will then use source port randomization
> when sending queries over the network. (Other caching resolvers can
> be used instead.)
> 2. Rely on IP address spoofing protection if available. Successful
> attacks must spoof the address of one of the resolvers, which may not
> be possible if the network is guarded properly against IP spoofing
> attacks (both from internal and external sources).
Is it okay to apply only workaround 2? Is my server guarded properly against
IP spoofing attacks (both from internal and external sources) if the content
of /proc/sys/net/ipv4/conf/all/rp_filter is 1?