[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver



Quoting Hideki Yamane (henrich@debian.or.jp):

>  I want to know that, too.
>  Should ALL systems (servers or desktops/laptops) need to be installed
>  and configure bind9 (or something) package, or need to wait for update?

My own preference is, indeed, to have one of the following as a local
recursive resolver:

o  MaraDNS's recursor module (not enabling the authoritative
     zoneserver):  Author built in a custom RNG from the beginning
o  Unbound:  Author built in a custom RNG from the beginning
o  dnscache from djbdns:  built in a custom RNG from the beginning, _and_
     the author made a point of warning everyone else of the pitfall
     but you have to put up with djb weirdness, apply patches, etc.)
o  PowerDNS Recursor:  Retrofitted a custom RNG in March 2008, after
     the Kaminsky issue emerged behind closed doors, which is better than
     nothing but doesn't lend confidence.  (OTOH, it's small, light,
     and easy to install/configure.)
o  BIND9 run just for its recursive-resolver functions (but it's 
     bloated, slow, overfeatured, and ignored the issue for years)

I'd lock the host's DNS client via /etc/resolv.conf to query only
localhost.  At that point, client weaknesses in source port
randomisation becomes a non-issue.


Reply to: