DNS spoofing vulnerability
marty at goodoldmarty.com
Tue Jul 15 07:41:08 PDT 2008
> You're using a resolving name server somewhere. That resolving name
> server almost certainly has a cache.
I only use my ISP's resolvers which do have caches, but
that's AT&T problem, not mine.
>> > I don't provide recursive DNS to the public.
> Does it provide recursive DNS service to anyone? To you? If so, your
> recursion restriction does not protect you.
No. I only serve authoratative DNS, but with a split horizon
for the stuff on private IPs too. It has a DNS proxy that
passes recursion to my ISP, and only when I enable that for
maintenance purposes. Otherwise, SERVFAIL is all ya get.
Likewise, my other subnets are managed in a similar manner.
I have ALWAYS distrusted cacheing resolvers and am loathe to
run one myself.
>> > Source ports are randomized by design in my software.
> If you use BIND as a resolving name server, the versions available
> before last Tuesday did not change their randomized ports between
I wouldn't use BIND on a bet. I use PowerDNS and I do not
build the recurser/resolver part either.
>> > Everything is behind firewalls on Nat. And I use HLFS.
> None of that will help you in the slightest if you run a resolving
> name server based on BIND.
But I don't run BIND, do I?
None of these things you say seem to relate to my situation.
Must be a coincidence...
Electile Dysfunction : the inability to become aroused over
any of the
choices for President put forth by either party in the 2008
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: OpenPGP digital signature
More information about the hlfs-dev