DNS spoofing vulnerability

marty marty at goodoldmarty.com
Tue Jul 15 07:41:08 PDT 2008


> 
> You're using a resolving name server somewhere. That resolving name  
> server almost certainly has a cache.

I only use my ISP's resolvers which do have caches, but
that's AT&T problem, not mine.

> 
>> > I don't provide recursive DNS to the public.
> 
> Does it provide recursive DNS service to anyone? To you? If so, your  
> recursion restriction does not protect you.

No. I only serve authoratative DNS, but with a split horizon
for the stuff on private IPs too. It has a DNS proxy that
passes recursion to my ISP, and only when I enable that for
maintenance purposes. Otherwise, SERVFAIL is all ya get.

Likewise, my other subnets are managed in a similar manner.
I have ALWAYS distrusted cacheing resolvers and am loathe to
run one myself.

>> > Source ports are randomized by design in my software.
> 
> If you use BIND as a resolving name server, the versions available  
> before last Tuesday did not change their randomized ports between  
> queries.

I wouldn't use BIND on a bet. I use PowerDNS and I do not
build the recurser/resolver part either.

> 
>> > Everything is behind firewalls on Nat. And I use HLFS.
> 
> None of that will help you in the slightest if you run a resolving  
> name server based on BIND.
> 

But I don't run BIND, do I?

None of these things you say seem to relate to my situation.
Must be a coincidence...

Marty B.


-- 
Electile Dysfunction : the inability to become aroused over
any of the
choices for President put forth by either party in the 2008
election.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20080715/a8fe3656/attachment.sig>


More information about the hlfs-dev mailing list