Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
On Tue, 08 Jul 2008, Florian Weimer wrote:
> 1. Install a local BIND 9 resoler on the host, possibly in
> forward-only mode. BIND 9 will then use source port randomization
> when sending queries over the network. (Other caching resolvers can
> be used instead.)
>
> 2. Rely on IP address spoofing protection if available. Successful
> attacks must spoof the address of one of the resolvers, which may not
> be possible if the network is guarded properly against IP spoofing
> attacks (both from internal and external sources).
3. Install lwresd from an updated BIND9, install libnss-lwres, and replace
"dns" with "lwres" in /etc/nsswitch.conf. Make sure to restart lwres when
/etc/resolv.conf changes.
However, expect applications that require DNS round-robin in the resolver to
break (just like they break with the libc resolver with A record ordering
enabled).
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: