[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

On Tue, 8 Jul 2008 22:43:54 -0300 Henrique de Moraes Holschuh
<hmh@debian.org> wrote:

> On Tue, 08 Jul 2008, Florian Weimer wrote:
> > 1. Install a local BIND 9 resoler on the host, possibly in
> > forward-only mode.  BIND 9 will then use source port randomization
> > when sending queries over the network.  (Other caching resolvers can
> > be used instead.)
> > 
> > 2. Rely on IP address spoofing protection if available.  Successful
> > attacks must spoof the address of one of the resolvers, which may
> > not be possible if the network is guarded properly against IP
> > spoofing attacks (both from internal and external sources).
> 3. Install lwresd from an updated BIND9, install libnss-lwres, and
> replace "dns" with "lwres" in /etc/nsswitch.conf.   Make sure to
> restart lwres when /etc/resolv.conf changes.

Hmm... libnss-lwres is orphaned (#475089), and is uninstallable on sid.

Hubert Chathi <uhoreg@debian.org> -- Jabber: hubert@uhoreg.ca
PGP/GnuPG key: 1024D/124B61FA         http://www.uhoreg.ca/
Fingerprint: 96C5 012F 5F74 A5F7 1FF7  5291 AF29 C719 124B 61FA

Reply to: