Re: [SECURITY] [DSA 3481-1] glibc security update
On Wed, Feb 17, 2016 at 07:31:49PM +0100, Thomas Hager wrote:
> On Wed, 2016-02-17 at 10:55 +0000, Dominic Hargreaves wrote:
> > "Mitigating factors for UDP include [...]
> > - A local resolver (that drops non-compliant responses)."
> >
> > "- A back of the envelope analysis shows that it should be possible
> > to
> > write correctly formed DNS responses with attacker controlled
> > payloads
> > that will penetrate a DNS cache hierarchy and therefore allow
> > attackers to exploit machines behind such caches."
> >
> > These two statements seem at odds with each other. Does anyone have
> > any additional observations on this point?
> I tried finding an answer to the same question, and stumbled across an
> article from the SANS Internet Storm Center [1], which seems to support
> statement one:
>
> "What can you do?
> [...]
> - make sure all systems on your network use a specific resolver and
> block outbound DNS unless it originates from this resolver (this is a
> good idea anyway!). This will limit exposure to the resolver"
>
> But having additional confirmation on this matter would be very much
> appreciated.
The answer here implies that just any resolver will not help you,
but that there is an unbound configuration that might:
https://lists.dns-oarc.net/pipermail/dns-operations/2016-February/014349.html
Cheers,
Dominic.
Reply to: