Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

[Wolfgang Jeltsch <7o2lccqg@acme.softbase.org>]

Am Mittwoch, 9. Juli 2008 20:51 schrieb Noah Meyerhans:
> On Wed, Jul 09, 2008 at 06:10:51PM +0200, Wolfgang Jeltsch wrote:
> > > At this time, it is not possible to implement the recommended
> > > countermeasures in the GNU libc stub resolver.
> >
> > I don’t have bind9 installed.  Am I affected by the libc stub resolver
> > bug? 
>
> Yes.

Even if the bug is fixed in my provider’s DNS servers?

> > I suggest that you install bind9,

How do I tell bind9 what DNS servers to ask?  Is this also done by 
resolv.conf?  If yes, named would ask itself if 127.0.0.1 is the first entry.

> > configure it to only listen on 127.0.0.1,

How do I do this? dpkg-reconfigure doesn’t help.

> > and add "nameserver 127.0.0.1" to resolv.conf before any 
> > other nameserver lines (since they're queried in order).

Shouldn’t I remove the other entries?  The other nameservers shouldn’t be 
contacted anymore, right?

Best wishes,
Wolfgang