|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Len Conrad (LConrad_at_Go2France.com)
Date: Tue Nov 12 2002 - 18:16:50 CST
>At least limiting it prevents someone setting up an authoritative server,
>then making a query to that domain off your name server.
In the Men and Mice DNS Security course, we call this "triggered poisoning".
With BIND8, limiting/disabling recursion and disabling glue-fetching will
keep your pretty secure from cache poisoning, and from this particular
vulnerability.
The attacker could send you email that bounced causing your MX to query his
DNS to send the bounce msg, but your MX wouldn't be querying his tricked up
DNS for SIG records. SIG records are for DNSSEC signed zones and signed
records. How many BIND8 zones even have SIG records to respond with?
Len
To Unsubscribe: send mail to majordomo
FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]