[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

On Wed, Jul 09, 2008 at 06:10:51PM +0200, Wolfgang Jeltsch wrote:
> > At this time, it is not possible to implement the recommended
> > countermeasures in the GNU libc stub resolver.
> I don???t have bind9 installed.  Am I affected by the libc stub resolver bug?

Yes.  I suggest that you install bind9, configure it to only listen on, and add "nameserver" to resolv.conf before any
other nameserver lines (since they're queried in order).

> > The following workarounds are available:
> >
> > 1. Install a local BIND 9 resoler on the host, possibly in
> > forward-only mode.  BIND 9 will then use source port randomization
> > when sending queries over the network.  (Other caching resolvers can
> > be used instead.)
> >
> > 2. Rely on IP address spoofing protection if available.  Successful
> > attacks must spoof the address of one of the resolvers, which may not
> > be possible if the network is guarded properly against IP spoofing
> > attacks (both from internal and external sources).
> Is it okay to apply only workaround 2?  Is my server guarded properly against 
> IP spoofing attacks (both from internal and external sources) if the content 
> of /proc/sys/net/ipv4/conf/all/rp_filter is 1?

rp_filter doesn't actually do anything meaningful on single-homed
machines.  All it does is drop inbound packets from host H on interface
A if, to reach H, the kernel would send a packet out interface B.  It
doesn't magically protect against IP spoofing (if it was that easy, then
IP spoofing wouldn't be an issue).  If you've only got one interface, it
doesn't do anything.


Attachment: signature.asc
Description: Digital signature

Reply to: