At least limiting it prevents someone setting up an authoritative server,
then making a query to that domain off your name server.

They are then reliant on a legitimate client querying the server with the
malicious content, rather than them doing it themselves.

Reducing the changes substantially I would imagine.

----- Original Message -----
From: "Jacques A. Vidrine" <nectarFreeBSD.org>
To: "Michael Carew" <carewmbytecraft.au.com>
Cc: <freebsd-securityFreeBSD.ORG>
Sent: Wednesday, November 13, 2002 10:47 AM
Subject: Re: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4
and BIND8 (fwd)]

> On Wed, Nov 13, 2002 at 10:41:15AM +1100, Michael Carew wrote:
> > One thing that the advisory seems to leave out, is limiting recursion,
> > rather than disabling.
>
> It leaves it out because it doesn't help much. Your name server will
> still query other name servers, and those other name servers (or
> someone spoofing them, maybe) can send malicious replies that your
> name server will process.
>
> Cheers,
> --
> Jacques A. Vidrine <nectarcelabo.org> http://www.celabo.org/
> NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
> jvidrineverio.net . nectarFreeBSD.org . nectarkth.se
>
> ************************************************************************
> This Email has been scanned for Viruses by MailMarshal
> an automated gateway email virus scanner.
>
> ************************************************************************
>

************************************************************************
This Email has been scanned for Viruses by MailMarshal
an automated gateway email virus scanner.

************************************************************************

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]