Re: FreeBSD 7.1 and BIND exploit

From: "Kevin Oberman" <oberman@xxxxxx>
Date: Mon, 21 Jul 2008 13:24:18 -0700

From: Max Laier <max@xxxxxxxxxxxxxx>
Date: Mon, 21 Jul 2008 21:38:46 +0200
Sender: owner-freebsd-stable@xxxxxxxxxxx

On Monday 21 July 2008 21:14:22 Doug Barton wrote:

Brett Glass wrote:
| Everyone:
|
| Will FreeBSD 7.1 be released in time to use it as an upgrade to
| close the BIND cache poisoning hole?

Brett, et al,

I'll make this simple for you. If you have a server that is running
BIND, update BIND now. If you need to use the ports, that's fine, just
do it now. Make sure that you are not specifying a port via any
query-source* options in named.conf, and that any firewall between
your named process and the outside world does keep-state on outgoing
UDP packets.

... and that any NAT device employs at least a somewhat random port
allocation mechanism - pf provides this.

And, if you are not sure how good a job it does (and I am not), you
should use the OARC test to check how well it works:
dig +short porttest.dns-oarc.net TXT

If the result is not "GOOD", it's not good enough.

You can test a remote server by adding "@remote-server" to the dig
command. The server may be specified by name or IP address.

Don't forget that ANY server that caches data, including an end system
running a caching only server is vulnerable.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@xxxxxx Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751

Attachment: pgpsop8AijjbX.pgp
Description: PGP signature

Follow-Ups:
- Re: FreeBSD 7.1 and BIND exploit
  - From: Doug Barton
- Re: FreeBSD 7.1 and BIND exploit
  - From: Charles Sprickman
- Re: FreeBSD 7.1 and BIND exploit
  - From: Brett Glass

References:
- Re: FreeBSD 7.1 and BIND exploit
  - From: Max Laier

Prev by Date: Re: FreeBSD 7.1 and BIND exploit
Next by Date: Re: ACPI regression on recent 7.0-STABLE: HPET stops working
Previous by thread: Re: FreeBSD 7.1 and BIND exploit
Next by thread: Re: FreeBSD 7.1 and BIND exploit
Index(es):
- Date
- Thread

Relevant Pages

Re: Java Error
... number corresponds to a particular "server" application but it doesn't have ... Normally TELNET can be found when you connect to port 23 from ... The bind() call references the structure mentioned above. ... specify that port and IP address in the destination fields of the IP header ...
(bit.listserv.ibm-main)
RE: Some technical errors
... If the SMTP server is not running on port 25 TCP it is not a public ... Manager - Computer Assurance Services BDO Chartered Accountants & ...
(Security-Basics)
Re: SRV RRs support in Internet Explorer?
... The port number could be implicit (i.e. ... At any point in time, a server could fail ... can't effectively LB or backup because NSs cache the records for the TTL ... I still don't see how SRV records would help backup or LB. ...
(microsoft.public.win2000.dns)
Re: Good security related article
... A HTTP server has to bind to port 80, ... a process can give up root privileges ...
(borland.public.delphi.thirdpartytools.general)
Re: Still cant connect to RWW or OWA remotely
... I get 'cannot find server or dns error' on both ... TCP [port number]> to open the ports. ... As for error messages when I fail to access RWW with the laptop, ... network, no connection seems possible. ...
(microsoft.public.windows.server.sbs)