Re: DNS cache poisoning?
From: David Pick (d.m.pick_at_qmul.ac.uk)
Date: 08/17/05
- Previous message: Valdis.Kletnieks_at_vt.edu: "Re: Proper ISP Reporting"
- In reply to: chad_at_mr-lew.com: "Re: DNS cache poisoning?"
- Next in thread: James C Slora Jr: "RE: DNS cache poisoning?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: incidents@securityfocus.com Date: Wed, 17 Aug 2005 07:44:34 +0100
> Your first step should be to remove your DNS services
> from that WinNT box to something that is less vulnerable and
> start using a BIND based DNS solution
<snip>
I'd agree wholeheartedly with the first part of this. But:
There are other DNS servers available for UNIX/Linux that are
even less vulnerable than BIND. BIND is pretty good, but still
has "features" that are unnecessary and any unnecessary code
can contain vulnerabilities. I use a package called "DJBDNS"
(see: http://cr.yp.to/) that is a little more work to set up
but which, one running, is *very* stable. It's also easier to
keep the zone files maintained: they're a different format
from BIND, but simpler to update.
One thing that many people find makes DJBDNS harder is that
it uses different programs for running a DNS cache and for
supplying master sources of DNS data, so for most people
both have to be set up, but each is individually easier to
set up *safely* than BIND. It is also much more conservative
than BIND about adding the "additional" records in a response
to the cache, and this makes it almost impossible to poison
the cache program.
Just my 2p-worth. don't get the impression BIND is dangerous:
it isn't; but it is possible to do even better.
-- David Pick
- Previous message: Valdis.Kletnieks_at_vt.edu: "Re: Proper ISP Reporting"
- In reply to: chad_at_mr-lew.com: "Re: DNS cache poisoning?"
- Next in thread: James C Slora Jr: "RE: DNS cache poisoning?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
