Re: ISC BIND Amplification Attack

To: "Brian A. Seklecki" <lavalamp%spiritual-machines.org@localhost>
Subject: Re: ISC BIND Amplification Attack
From: "Jeremy C. Reed" <reed%reedmedia.net@localhost>
Date: Mon, 26 Jan 2009 13:01:12 -0600 (CST)

On Mon, 26 Jan 2009, Brian A. Seklecki wrote:

>   Do we want take a position on the recently exploited DNS cache query/
>   response amplification?

I don't think NetBSD needs to.

>   Maybe just an official position that authoritative nameservers
>   running 3.x and 2.x upgrade to BIND 9.5.x via Pkgsrc?

9.3.x and 9.4.x are fine. You can set allow-query site wide in options to 
only allow queries from your desired networks and then use "allow-query { 
any; };" in each of your public zones.

> Version Summary:
> 
>  NetBSD-5: BIND 9.5.0-P2
>  NetBSD-4: BIND 9.4.2-P2
>  NetBSD-3: BIND 9.3.5-P1

These versions doesn't include the OpenSSL fixes (where there is a chance 
to fool DNSSEC), but that is unrelated to this thread.

Follow-Ups:
- Re: ISC BIND Amplification Attack
  - From: Brian A. Seklecki

References:
- ISC BIND Amplification Attack
  - From: Brian A. Seklecki

Prev by Date: ISC BIND Amplification Attack
Next by Date: Re: ISC BIND Amplification Attack
Previous by Thread: ISC BIND Amplification Attack
Next by Thread: Re: ISC BIND Amplification Attack
Indexes:

Home | Main Index | Thread Index | Old Index