Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
On Tue, 8 Jul 2008 22:43:54 -0300 Henrique de Moraes Holschuh
<hmh@debian.org> wrote:
> On Tue, 08 Jul 2008, Florian Weimer wrote:
> > 1. Install a local BIND 9 resoler on the host, possibly in
> > forward-only mode. BIND 9 will then use source port randomization
> > when sending queries over the network. (Other caching resolvers can
> > be used instead.)
> >
> > 2. Rely on IP address spoofing protection if available. Successful
> > attacks must spoof the address of one of the resolvers, which may
> > not be possible if the network is guarded properly against IP
> > spoofing attacks (both from internal and external sources).
>
> 3. Install lwresd from an updated BIND9, install libnss-lwres, and
> replace "dns" with "lwres" in /etc/nsswitch.conf. Make sure to
> restart lwres when /etc/resolv.conf changes.
Hmm... libnss-lwres is orphaned (#475089), and is uninstallable on sid.
--
Hubert Chathi <uhoreg@debian.org> -- Jabber: hubert@uhoreg.ca
PGP/GnuPG key: 1024D/124B61FA http://www.uhoreg.ca/
Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA
Reply to: