Re: SANS: DNS Bug Now Public?

• From: Phil Regnauld
• Date: Thu Jul 24 04:45:15 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

Joe Abley (jabley) writes:
>
> Having just seen some enterprise types spend time patching their 
> nameservers, it's also perhaps worth spelling out that "patch" in this case 
> might require more than upgrading resolver code -- it could also involve 
> reconfigurations, upgrades or replacements of NAT boxes too. If your NAT 
> reassigns source ports in a predictable fashion, then no amount of BIND9 
> patching is going to help.

	Case in point, we've got customers running around in circles
	screaming "we need to upgrade, please help us upgrade NOW",
	but they have _3_ layers of routers and firewalls that are hardcoded to
	only allow DNS queries from port 53.

• Follow-Ups:
  • Re: SANS: DNS Bug Now Public? Paul Vixie

• References:
  • SANS: DNS Bug Now Public? Jon Kibler
  • Re: SANS: DNS Bug Now Public? Jorge Amodio
  • Re: SANS: DNS Bug Now Public? Steven M. Bellovin
  • Re: SANS: DNS Bug Now Public? Jorge Amodio
  • Re: SANS: DNS Bug Now Public? Joe Abley

• Prev by Date: Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)
• Next by Date: Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)
• Date Index
• Thread Index
• Author Index
• Historical