1 |
Mick wrote: |
2 |
> Hi All, |
3 |
> |
4 |
> Have you seen this? |
5 |
> |
6 |
> http://uk.news.yahoo.com/afp/20080709/ttc-us-it-internet-software-crime-e0bba4a.html |
7 |
> |
8 |
> and this? |
9 |
> |
10 |
> http://www.doxpara.com/ |
11 |
> |
12 |
> Is it merely a matter of using the right version of bind (for those who run a |
13 |
> bind daemon locally), or does it go further than that? |
14 |
|
15 |
This note from the author of maradns might help understand the issue. |
16 |
|
17 |
(FWIW, maradns is straightforward and simple if you want to try it on an |
18 |
interim basis 'til bind is fixed.) |
19 |
|
20 |
"MaraDNS is immune to the new cache poisoning attack. MaraDNS has |
21 |
always been immune to this attack. Ditto with Deadwood (indeed, |
22 |
people can use MaraDNS or Deadwood on the loopback interface to |
23 |
protect their machines from this attack). |
24 |
|
25 |
OK, basically, this is an old problem DJB wrote about well over seven |
26 |
years ago. The solution is to randomize both the query ID and the |
27 |
source port; MaraDNS/Deadwood do this (and have been doing this since |
28 |
around the time of their first public releases that could resolve DNS |
29 |
queries) using a cryptographically strong random number generator |
30 |
(MaraDNS uses an AES variant; Deadwood uses the 32-bit version of |
31 |
Radio Gatun). |
32 |
|
33 |
- Sam |
34 |
|
35 |
-- |
36 |
gentoo-user@l.g.o mailing list |