Re: [SECURITY] [DSA 3481-1] glibc security update

[Dominic Hargreaves <dom@earth.li>]

On Tue, Feb 16, 2016 at 04:32:00PM +0100, Peter Ludikovsky wrote:
> Hello,
> 
> A question to those more knowledgeable: we're using our own DNS
> servers for all lookups, and those do recursive lookup for any
> external addresses. Am I right to assume that Bind9 uses it's own
> implementation for DNS lookups? Or are those now basically ticking
> time bombs?

Not a direct reply to your question, but in terms of whether using a
trusted recursive resolver is sufficient to protect against this in the
short term, I was interested in these quote from [1] (which is the
full upstream advisory and analysis):

"Mitigating factors for UDP include [...]
    - A local resolver (that drops non-compliant responses)."

"- A back of the envelope analysis shows that it should be possible to
  write correctly formed DNS responses with attacker controlled payloads
  that will penetrate a DNS cache hierarchy and therefore allow
  attackers to exploit machines behind such caches."

These two statements seem at odds with each other. Does anyone have
any additional observations on this point?

Thanks,
Dominic.

[1] <https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>