On Wed, Jul 09, 2008 at 06:10:51PM +0200, Wolfgang Jeltsch wrote: > > At this time, it is not possible to implement the recommended > > countermeasures in the GNU libc stub resolver. > > I don???t have bind9 installed. Am I affected by the libc stub resolver bug? Yes. I suggest that you install bind9, configure it to only listen on 127.0.0.1, and add "nameserver 127.0.0.1" to resolv.conf before any other nameserver lines (since they're queried in order). > > The following workarounds are available: > > > > 1. Install a local BIND 9 resoler on the host, possibly in > > forward-only mode. BIND 9 will then use source port randomization > > when sending queries over the network. (Other caching resolvers can > > be used instead.) > > > > 2. Rely on IP address spoofing protection if available. Successful > > attacks must spoof the address of one of the resolvers, which may not > > be possible if the network is guarded properly against IP spoofing > > attacks (both from internal and external sources). > > Is it okay to apply only workaround 2? Is my server guarded properly against > IP spoofing attacks (both from internal and external sources) if the content > of /proc/sys/net/ipv4/conf/all/rp_filter is 1? rp_filter doesn't actually do anything meaningful on single-homed machines. All it does is drop inbound packets from host H on interface A if, to reach H, the kernel would send a packet out interface B. It doesn't magically protect against IP spoofing (if it was that easy, then IP spoofing wouldn't be an issue). If you've only got one interface, it doesn't do anything. noah
Attachment:
signature.asc
Description: Digital signature