At 02:24 PM 7/21/2008, Kevin Oberman wrote: >Don't forget that ANY server that caches data, including an end system >running a caching only server is vulnerable.
Actually, there is an exception to this. A "forward only" cache/resolver is only as vulnerable as its forwarder(s). This is a workaround for the vulnerability for folks who have systems that they cannot easily upgrade: point at a trusted forwarder that's patched. We're also looking at using dnscache from the djbdns package. It's really idiosyncratic, but seems to work well -- and if you're just doing a caching resolver you don't have to touch it once you get it configured. Of course, all solutions that randomize ports are really just "security by obscurity," because by shuffling ports you're hiding the way to poison your cache... a little. --Brett Glass _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
