On Wed, Feb 17, 2016 at 07:31:49PM +0100, Thomas Hager wrote: > On Wed, 2016-02-17 at 10:55 +0000, Dominic Hargreaves wrote: > > "Mitigating factors for UDP include [...] > > - A local resolver (that drops non-compliant responses)." > > > > "- A back of the envelope analysis shows that it should be possible > > to > > write correctly formed DNS responses with attacker controlled > > payloads > > that will penetrate a DNS cache hierarchy and therefore allow > > attackers to exploit machines behind such caches." > > > > These two statements seem at odds with each other. Does anyone have > > any additional observations on this point? > I tried finding an answer to the same question, and stumbled across an > article from the SANS Internet Storm Center [1], which seems to support > statement one: > > "What can you do? > [...] > - make sure all systems on your network use a specific resolver and > block outbound DNS unless it originates from this resolver (this is a > good idea anyway!). This will limit exposure to the resolver" > > But having additional confirmation on this matter would be very much > appreciated.
The answer here implies that just any resolver will not help you, but that there is an unbound configuration that might: https://lists.dns-oarc.net/pipermail/dns-operations/2016-February/014349.html Cheers, Dominic.