dns update for 7.0

[Joshua Frugé]

I just joined the list (but did search the archive), so I apologize in
advance if this was already answered and I missed it.

What's the process to update the base bind in freebsd for the new
cacheing poisoning vuln that seems to be all the rage lately?

I'm running freebsd 7.0-RELEASE-p2 and I am using the included base
bind 9.4.2 as resolver for my network.  Will there be an update
through freebsd-update to upgrade to bind 9.4.2-p1, or is there some
other process I need to followcompile source and replace?.

Thanks,

-- 
Joshua Frugé
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: dns update for 7.0

[Matthew Seaman]

Joshua Frugé wrote:

I just joined the list (but did search the archive), so I apologize in
advance if this was already answered and I missed it.

What's the process to update the base bind in freebsd for the new
cacheing poisoning vuln that seems to be all the rage lately?

I'm running freebsd 7.0-RELEASE-p2 and I am using the included base
bind 9.4.2 as resolver for my network.  Will there be an update
through freebsd-update to upgrade to bind 9.4.2-p1, or is there some
other process I need to followcompile source and replace?.


I recommend you install one or other of the bind ports:

  dns/bin9
  dns/bind94
  dns/bind95

All of these were updated last night to include the UDP port
randomization stuff in the latest security patch. (There's not much
point in installing dns/bind9 though, as that's a downgrade to bind9.3
from the system supplied bind-9.4.2)

You don't need to overwrite the base system bind -- the vulnerability
works on the cache of a running instance of named when configured as a 
recursive resolver.  So as long as you start up the patched daemon, everything 
should be fine.

To start up the version of bind you just installed from ports, add

 named_enable=YES
 named_program=/usr/local/sbin/named
 named_flags=-c /etc/namedb/named.conf

to /etc/rc.conf and then run:

 /etc/rc.d/named restart

and check your system logs for a line saying something like:

starting BIND 9.X.Y-P1 -c /etc/namedb/named.conf -t /var/named -u bind

where the 'P1' bit shows you're running the patched version.

There may well be a security notice and a patch for the base system
generated in the next few days: the security team is looking into the
matter and will respond in due course.  D-day for having everything 
properly patched is the presentation Dan Kaminsky is doing at the

Blackhats conference on August 6th (or possibly August 7th)

The patches ISC  have produced will have an adverse effect if you're 
answering something in excess of  10,000 DNS queries a second, which is 
rather more than most people would get to deal with, but are otherwise 
innocuous.


 http://www.isc.org/index.pl?/sw/bind/bind-security.php

To test if a recursive nameserver is potentially vulnerable, grab
the perl script from this site:

 http://michael.toren.net/code/noclicky/

Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: dns update for 7.0

[Paul Schmehl]

--On Thursday, July 10, 2008 11:05:11 -0500 Joshua Frugé 
[EMAIL PROTECTED] wrote:



I just joined the list (but did search the archive), so I apologize in
advance if this was already answered and I missed it.

What's the process to update the base bind in freebsd for the new
cacheing poisoning vuln that seems to be all the rage lately?

I'm running freebsd 7.0-RELEASE-p2 and I am using the included base
bind 9.4.2 as resolver for my network.  Will there be an update
through freebsd-update to upgrade to bind 9.4.2-p1, or is there some
other process I need to followcompile source and replace?.



Base bind is updated by freebsd-update *assuming* you are using the base bind 
and not the port bind *and* assuming you haven't altered any of the binaries by 
patching them manually.  You can, of course, use the tried and true make 
buildworld process to update it as well *when* the patches are released.


--
Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]