Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning

To: carlos@fisica.ufpr.br (Carlos Carvalho)
Cc: debian-security@lists.debian.org
Subject: Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
From: Florian Weimer <fw@deneb.enyo.de>
Date: Wed, 23 Jul 2008 07:48:21 +0200
Message-id: <87d4l5i21m.fsf@mid.deneb.enyo.de>
In-reply-to: <18564.57447.291735.558920@fisica.ufpr.br> (Carlos Carvalho's message of "Mon, 21 Jul 2008 16:15:51 -0300")
References: <20080710073848.32E2F13A69BE@liszt.debian.org> <20080710073851.A39F213A69D1@liszt.debian.org> <BAY119-W6D0F11310DA85C8710B81DA910@phx.gbl> <488087C4.9000404@gryzor.com> <87y73ws4jx.fsf@mid.deneb.enyo.de> <18564.57447.291735.558920@fisica.ufpr.br>

* Carlos Carvalho:

>  >Note that using --random with a patched resolver (one that uses stronger
>  >random numbers for source ports) makes it vulnerable again.  By default,
>  >Netfilter tries to preserve source ports, so its NAT does not destroy
>  >the effort put into BIND et al.
>
> Really? This post says the kernel randomization is good...

It applies to the configuration without --random.

Reply to:

References:
- Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
  - From: John Elliot <johnelliot67@hotmail.com>
- Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
  - From: Vincent Deffontaines <vincent@gryzor.com>
- Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
  - From: carlos@fisica.ufpr.br (Carlos Carvalho)

Prev by Date: Re: Mass-updating cached hosts keys afrer ssh security upgrade?
Next by Date: Re: [SECURITY] [DSA 1540-3] New lighttpd packages fix regression
Previous by thread: Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
Next by thread: Re: Sarge, Bind9 (9.2.4-1sarge3) and DNS cache poisoning
Index(es):
- Date
- Thread