Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning

To: debian-security@lists.debian.org
Subject: Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
From: "Milan P. Stanic" <mps@arvanta.net>
Date: Sun, 20 Jul 2008 15:16:37 +0200
Message-id: <20080720131637.GA11060@arvanta.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <87bq0siwxn.fsf@mid.deneb.enyo.de>
References: <20080710073848.32E2F13A69BE@liszt.debian.org> <20080710073851.A39F213A69D1@liszt.debian.org> <BAY119-W6D0F11310DA85C8710B81DA910@phx.gbl> <87bq0siwxn.fsf@mid.deneb.enyo.de>

On Sun, 2008-07-20 at 14:04, Florian Weimer wrote:
> * John Elliot:
> > Hi, We have a couple of Sarge servers running bind9(9.2.4-1sarge3)
> > that appear to be vulnerable to the DNS cache poisoning issue(Looks
> > like port randomization was only introduced in bind9.3?) - As the
> > servers cannot be upgraded at this time to etch, what is the
> > recommended course of action? Backports and upgrade to 9.3?
> Install one or more etch boxes, put BIND 9 onto it, and configure the
> sarge machines to use them as forwarders.  This is sufficient if the
> network between them is trusted.  You could also forward requests to
> your ISP's resolvers (subject to the same constraint).

Simpler and more secure (and easier) solution is the installation of the
djbdns.

Reply to:

References:
- Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
  - From: John Elliot <johnelliot67@hotmail.com>
- Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
Next by Date: Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
Previous by thread: Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
Next by thread: clamav-freshclam volatile VS python-clamav
Index(es):
- Date
- Thread