nanog mailing list archives

Re: Multiple DNS implementations vulnerable to cache poisoning

From: "Jay R. Ashworth" <jra () baylink com>
Date: Wed, 9 Jul 2008 09:16:53 -0400

On Wed, Jul 09, 2008 at 04:39:49AM -0400, Jean-Fran?ois Mezei wrote:

My DNS server made the various DNS requests from the same port and is
thus vulnerable. (VMS TCPIP Services so no patches expected).


Well, yes, but unless I've badly misunderstood the situation, all
that's necessary to mitigate this bug is to interpose a non-buggy
recursive resolver between the broken machine and the Internet at
large, right?

So just make sure your corporate/campus edge router has a reasonable
named on it, and point everything broken at that, and you should be ok,
even though, as you note, DEC won't be updating VMS any time soon.  :-)

Cheers,
-- jr 'Compaq?  No, that's HP now, isn't it?' a
-- 
Jay R. Ashworth                   Baylink                      jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com                     '87 e24
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274

             Those who cast the vote decide nothing.
             Those who count the vote decide everything.
               -- (Joseph Stalin)

Current thread:

Re: Multiple DNS implementations vulnerable to cache poisoning, (continued)
- Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 08)
  - Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Lynda (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Owen DeLong (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Christian Koch (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jimmy Hess (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jean-François Mezei (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Chris Adams (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Michael C. Toren (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jean-François Mezei (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Simon Waters (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Tuc at T-B-O-H.NET (Jul 11)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Brian Keefer (Jul 25)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Joe Greco (Jul 09)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Lynda (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jeffrey Ollie (Jul 08)
    - Re: Multiple DNS implementations vulnerable to cache poisoning Jay R. Ashworth (Jul 08)
- Re: Multiple DNS implementations vulnerable to cache poisoning Steven M. Bellovin (Jul 09)
  - Re: Multiple DNS implementations vulnerable to cache poisoning Christopher Morrow (Jul 09)

(Thread continues...)