Re: cache poisoning counter-measures
On 05.01.09 15:29, Chris Henderson wrote: > I'm trying to implement some basic counter-measures against the > Kaminsky bug. I have had to configure my switch to allow any incoming > query to TCP and UDP port 53 on my slave DNS server. I was wondering > if this is going to cause any problem as far as security is concerned. > > Bind version 9.4.1 running in chroot jail. The bug does not lie server operations. It lies in client operations. While people are querying your slave server, you have no problem. If you send recursive queries to the mentioned name server, and it sends queries out, that is a problem. It must send queries from randomised ports, which means, that not only packets to tcp/udp port 53 from outside must be allowed, but packets from any port on your server to tcp/udp 53 anywhere must be allowed and also packets from tcp/udp port 53 anywhere to any port on your server must be allowed. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache poisoning counter-measures
Chris Henderson wrote: > I'm trying to implement some basic counter-measures against the > Kaminsky bug. I have had to configure my switch to allow any incoming > query to TCP and UDP port 53 on my slave DNS server. I was wondering > if this is going to cause any problem as far as security is concerned. > > Bind version 9.4.1 running in chroot jail. First off, 9.4.3 has been out for a while now, and has query source port randomization features that you want. You should read more about it on the ISC web site. Second, it's not clear what you're trying to accomplish. If the hosts that will be querying this name server are inside the firewall, there is no reason that you should have to open port 53 from the outside world (except perhaps from the master name server(s)). To intelligently answer your question you're going to have to provide more details. Doug ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache poisoning counter-measures
Chris Henderson wrote: > I'm trying to implement some basic counter-measures against the > Kaminsky bug. I have had to configure my switch to allow any incoming > query to TCP and UDP port 53 on my slave DNS server. I was wondering > if this is going to cause any problem as far as security is concerned. > > Bind version 9.4.1 running in chroot jail. Upgrade to 9.5.1 or better and randomize your query source port numbers. There are no other "basic counter-measures" for servers doing recursion. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
cache poisoning counter-measures
I'm trying to implement some basic counter-measures against the Kaminsky bug. I have had to configure my switch to allow any incoming query to TCP and UDP port 53 on my slave DNS server. I was wondering if this is going to cause any problem as far as security is concerned. Bind version 9.4.1 running in chroot jail. Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users