Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning

To: John Elliot <johnelliot67@hotmail.com>
Cc: <debian-security@lists.debian.org>
Subject: Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sun, 20 Jul 2008 14:04:20 +0200
Message-id: <87bq0siwxn.fsf@mid.deneb.enyo.de>
References: <20080710073848.32E2F13A69BE@liszt.debian.org> <20080710073851.A39F213A69D1@liszt.debian.org> <BAY119-W6D0F11310DA85C8710B81DA910@phx.gbl>

* John Elliot:

> Hi, We have a couple of Sarge servers running bind9(9.2.4-1sarge3)
> that appear to be vulnerable to the DNS cache poisoning issue(Looks
> like port randomization was only introduced in bind9.3?) - As the
> servers cannot be upgraded at this time to etch, what is the
> recommended course of action? Backports and upgrade to 9.3?

Install one or more etch boxes, put BIND 9 onto it, and configure the
sarge machines to use them as forwarders.  This is sufficient if the
network between them is trusted.  You could also forward requests to
your ISP's resolvers (subject to the same constraint).

I could provide you with an untested 9.3 backport for sarge (or you
could compile one yourself).

Reply to:

Follow-Ups:
- Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
  - From: "Milan P. Stanic" <mps@arvanta.net>

References:
- Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
  - From: John Elliot <johnelliot67@hotmail.com>

Prev by Date: Re: Study: Attacks on package managers (inclusing apt)
Next by Date: Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
Previous by thread: Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
Next by thread: Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
Index(es):
- Date
- Thread