Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
* Noah Meyerhans:
> On Wed, Jul 09, 2008 at 06:10:51PM +0200, Wolfgang Jeltsch wrote:
>> > At this time, it is not possible to implement the recommended
>> > countermeasures in the GNU libc stub resolver.
>> I don???t have bind9 installed. Am I affected by the libc stub resolver bug?
> Yes. I suggest that you install bind9, configure it to only listen on
> 127.0.0.1, and add "nameserver 127.0.0.1" to resolv.conf before any
> other nameserver lines (since they're queried in order).
On the hand, if you don't build a network of your own, and your ISP
properly filters their Internet connection and their customer interfaces
to stop source address spoofing, it's not possible forge DNS traffic
which claims to come from the ISP resolver. (Since the addresses
involved are theirs, they can actually do it--globally, on the whole
Internet, it's much more difficult.)
So in many cases, countermeasures aren't really necessary. On the other
hand, the amount of filtering varies greatly from region to region, and
even from ISP to ISP. Certainly, there are some broadband deployments
with shockingly little filtering, and customers can attack each other in
these cases (but only by spoofing blindly). That's why we're looking
into providing a libc update.