Security Incidents mailing list archives
Re: DNS cache poisoning?
From: David Pick <d.m.pick () qmul ac uk>
Date: Wed, 17 Aug 2005 07:44:34 +0100
Your first step should be to remove your DNS services from that WinNT box to something that is less vulnerable and start using a BIND based DNS solution
<snip> I'd agree wholeheartedly with the first part of this. But: There are other DNS servers available for UNIX/Linux that are even less vulnerable than BIND. BIND is pretty good, but still has "features" that are unnecessary and any unnecessary code can contain vulnerabilities. I use a package called "DJBDNS" (see: http://cr.yp.to/) that is a little more work to set up but which, one running, is *very* stable. It's also easier to keep the zone files maintained: they're a different format from BIND, but simpler to update. One thing that many people find makes DJBDNS harder is that it uses different programs for running a DNS cache and for supplying master sources of DNS data, so for most people both have to be set up, but each is individually easier to set up *safely* than BIND. It is also much more conservative than BIND about adding the "additional" records in a response to the cache, and this makes it almost impossible to poison the cache program. Just my 2p-worth. don't get the impression BIND is dangerous: it isn't; but it is possible to do even better. -- David Pick
Current thread:
- DNS cache poisoning? Willard Van Dyne (Aug 16)
- Re: DNS cache poisoning? Joel Esler (Aug 16)
- Re: DNS cache poisoning? Willard Van Dyne (Aug 16)
- Re: DNS cache poisoning? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Aug 17)
- Re: DNS cache poisoning? Willard Van Dyne (Aug 16)
- RE: DNS cache poisoning? James C Slora Jr (Aug 17)
- <Possible follow-ups>
- Re: DNS cache poisoning? chad (Aug 16)
- Re: DNS cache poisoning? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Aug 17)
- Re: DNS cache poisoning? David Pick (Aug 17)
- RE: DNS cache poisoning? Rabinowitz, Michael CTR MDA/ION (Aug 17)
- Re: DNS cache poisoning? chad (Aug 18)
- Message not available
- Re: DNS cache poisoning? David Glosser (Aug 22)
- Message not available
- Re: DNS cache poisoning? Joel Esler (Aug 16)