DNS spoofing vulnerability

marty marty at goodoldmarty.com
Mon Jul 14 09:32:23 PDT 2008


> djbdns and PowerDNS are not vulnerable to this new attack vector  
> because they don't hold open an outbound source port for queries. 
DUH? Those authors realized the implications years ago, and
took precautions that render them invulnerable today. Just
because others ignored logic does not make this 'new'.

> The QA manager for CentOS, a friend of mine, told me that glibc is  
> also vulnerable.
But he was referring to their glibc, not ours;O

These 'revelations' only show the impact of rumors.

This IS the same old thing despite the newer codebase which
is affected, which adds more twists. Just because somebody
cracked a box in a lab does NOT constitute a good reason for
spreading alarm and panic.

I don't use Microsoft products, or Distributions as servers.
I don't even have a cache which can be poisoned.
I don't provide recursive DNS to the public. My DNS server
will reject out of zone queries. I don't need dnssec.
Source ports are randomized by design in my software.
Everything is behind firewalls on Nat. And I use HLFS.

You are crying wolf again. Take a Valium.

Marty B.
-- 
Electile Dysfunction : the inability to become aroused over
any of the
choices for President put forth by either party in the 2008
election.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20080714/d399c541/attachment.sig>


More information about the hlfs-dev mailing list