Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
* John Elliot:
> Hi, We have a couple of Sarge servers running bind9(9.2.4-1sarge3)
> that appear to be vulnerable to the DNS cache poisoning issue(Looks
> like port randomization was only introduced in bind9.3?) - As the
> servers cannot be upgraded at this time to etch, what is the
> recommended course of action? Backports and upgrade to 9.3?
Install one or more etch boxes, put BIND 9 onto it, and configure the
sarge machines to use them as forwarders. This is sufficient if the
network between them is trusted. You could also forward requests to
your ISP's resolvers (subject to the same constraint).
I could provide you with an untested 9.3 backport for sarge (or you
could compile one yourself).