Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
John Elliot a écrit :
We have a couple of Sarge servers running bind9(9.2.4-1sarge3) that
appear to be vulnerable to the DNS cache poisoning issue(Looks like port
randomization was only introduced in bind9.3?) - As the servers cannot
be upgraded at this time to etch, what is the recommended course of
action? Backports and upgrade to 9.3?
One solution is to let another device do the port randomization, to
protect your DNS clients.
If you run a Netfilter NAT firewall, you can use the source port NAT
randomization feature of Netfilter. This feature is available in Linux
vanilla kernel since 18.104.22.168