Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Quoting Hideki Yamane (henrich@debian.or.jp):
> I want to know that, too.
> Should ALL systems (servers or desktops/laptops) need to be installed
> and configure bind9 (or something) package, or need to wait for update?
My own preference is, indeed, to have one of the following as a local
recursive resolver:
o MaraDNS's recursor module (not enabling the authoritative
zoneserver): Author built in a custom RNG from the beginning
o Unbound: Author built in a custom RNG from the beginning
o dnscache from djbdns: built in a custom RNG from the beginning, _and_
the author made a point of warning everyone else of the pitfall
but you have to put up with djb weirdness, apply patches, etc.)
o PowerDNS Recursor: Retrofitted a custom RNG in March 2008, after
the Kaminsky issue emerged behind closed doors, which is better than
nothing but doesn't lend confidence. (OTOH, it's small, light,
and easy to install/configure.)
o BIND9 run just for its recursive-resolver functions (but it's
bloated, slow, overfeatured, and ignored the issue for years)
I'd lock the host's DNS client via /etc/resolv.conf to query only
localhost. At that point, client weaknesses in source port
randomisation becomes a non-issue.
Reply to: