Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning

To: John Elliot <johnelliot67@hotmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
From: Vincent Deffontaines <vincent@gryzor.com>
Date: Fri, 18 Jul 2008 14:08:36 +0200
Message-id: <488087C4.9000404@gryzor.com>
In-reply-to: <BAY119-W6D0F11310DA85C8710B81DA910@phx.gbl>
References: <20080710073848.32E2F13A69BE@liszt.debian.org> <20080710073851.A39F213A69D1@liszt.debian.org> <BAY119-W6D0F11310DA85C8710B81DA910@phx.gbl>

John Elliot a écrit :

Hi,
We have a couple of Sarge servers running bind9(9.2.4-1sarge3) thatappear to be vulnerable to the DNS cache poisoning issue(Looks like portrandomization was only introduced in bind9.3?) - As the servers cannotbe upgraded at this time to etch, what is the recommended course ofaction? Backports and upgrade to 9.3?


Greetings,

One solution is to let another device do the port randomization, toprotect your DNS clients.

If you run a Netfilter NAT firewall, you can use the source port NATrandomization feature of Netfilter. This feature is available in Linuxvanilla kernel since 2.6.21.1


See http://software.inl.fr//trac/wiki/contribs/RandomSkype

Vincent Deffontaines

Reply to:

Follow-Ups:
- Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
  - From: John Elliot <johnelliot67@hotmail.com>

Prev by Date: Re: Study: Attacks on package managers (inclusing apt)
Next by Date: Re: Study: Attacks on package managers (inclusing apt)
Previous by thread: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
Next by thread: Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
Index(es):
- Date
- Thread