[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning

John Elliot a écrit :
We have a couple of Sarge servers running bind9(9.2.4-1sarge3) that appear to be vulnerable to the DNS cache poisoning issue(Looks like port randomization was only introduced in bind9.3?) - As the servers cannot be upgraded at this time to etch, what is the recommended course of action? Backports and upgrade to 9.3?


One solution is to let another device do the port randomization, to protect your DNS clients.

If you run a Netfilter NAT firewall, you can use the source port NAT randomization feature of Netfilter. This feature is available in Linux vanilla kernel since

See http://software.inl.fr//trac/wiki/contribs/RandomSkype

Vincent Deffontaines

Reply to: