DNS spoofing vulnerability

Chris Buxton cbuxton at menandmice.com
Tue Jul 15 10:49:41 PDT 2008


Marty,

You're right, none of the BIND server stuff relates to you - I think  
AT&T should be able to upgrade their servers in time, if they haven't  
already. We're only discussing it because you brought it up.

If you want to check on AT&T's progress, execute this command  
[assuming you have dig installed]:

dig +short porttest.dns-oarc.net TXT

This will test your default resolver (AT&T's) and give you a readout  
of whether their server is still vulnerable. If it is, this affects  
you, because a successful attack on their resolver is an attack on you.

My original question, about glibc's stub resolver, has already been  
answered by Robert.

Chris Buxton
Professional Services
Men & Mice

On Jul 15, 2008, at 7:41 AM, marty wrote:

>>
>> You're using a resolving name server somewhere. That resolving name
>> server almost certainly has a cache.
>
> I only use my ISP's resolvers which do have caches, but
> that's AT&T problem, not mine.
>
>>
>>>> I don't provide recursive DNS to the public.
>>
>> Does it provide recursive DNS service to anyone? To you? If so, your
>> recursion restriction does not protect you.
>
> No. I only serve authoratative DNS, but with a split horizon
> for the stuff on private IPs too. It has a DNS proxy that
> passes recursion to my ISP, and only when I enable that for
> maintenance purposes. Otherwise, SERVFAIL is all ya get.
>
> Likewise, my other subnets are managed in a similar manner.
> I have ALWAYS distrusted cacheing resolvers and am loathe to
> run one myself.
>
>>>> Source ports are randomized by design in my software.
>>
>> If you use BIND as a resolving name server, the versions available
>> before last Tuesday did not change their randomized ports between
>> queries.
>
> I wouldn't use BIND on a bet. I use PowerDNS and I do not
> build the recurser/resolver part either.
>
>>
>>>> Everything is behind firewalls on Nat. And I use HLFS.
>>
>> None of that will help you in the slightest if you run a resolving
>> name server based on BIND.
>>
>
> But I don't run BIND, do I?
>
> None of these things you say seem to relate to my situation.
> Must be a coincidence...
>
> Marty B.
>
>
> -- 
> Electile Dysfunction : the inability to become aroused over
> any of the
> choices for President put forth by either party in the 2008
> election.
>
> -- 
> http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
> FAQ: http://www.linuxfromscratch.org/faq/
> Unsubscribe: See the above information page




More information about the hlfs-dev mailing list