[ale] DNS vulnerability

Jeff Lightner jlightner at water.com
Sun Jul 13 11:49:13 EDT 2008


FYI there is apparently a rather serious exploit of DNS that will be
detailed on August 6th.

For those of you using BIND (named) there is a quick resiliency fix
required to make your name server do randomized ports.   It also
requires removing port restriction on the query source line of your
named.conf options.

I think M$ has also released updates for their stuff.


Information from ISC on the issue:
http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php

Information from RedHat for the update to bind (the ISC updated versions
aren't the officially distributed ones those of you using RedHat
subscriptions will have).
http://rhn.redhat.com/errata/RHSA-2008-0533.html

The above is short term that decreases but does not eliminate likelihood
of being compromised.   

The long term fix is to implement DNSSEC to sign your zones but the
resiliency fix will help to lessen the likelihood of successful attack
until you can implement DNSSEC..   

There is also a presentation called DNSSEC in 6 minutes at:
http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf

FYI:  The author of the above on the BIND list has stated that of course
it takes longer than 6 minutes to go through the presentation but that
once you understand it then it should only take 6 minutes to make the
changes and keep up with them.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20080713/8a344cd8/attachment-0001.html 


More information about the Ale mailing list