Vagner Sacramento writes: > BIND versions 4 and 8 use procedures that allow a remote DNS Spoofing > attack against DNS servers. Nonsense. All DNS caches will accept forged packets. See http://cr.yp.to/djbdns/forgery.html for an analysis of the cost of a forgery. Yes, the cost of a blind forgery depends quite noticeably on the software---it's larger for dnscache (djbdns) than for BIND 9 thanks to BIND's port reuse, and larger for BIND 9 than for older versions of BIND thanks to this ``vulnerability,'' which has been known for years---but thinking that software can protect you from forged DNS packets with the current DNS protocol is like thinking that shorts and a T-shirt will protect you from the winter wind in Chicago. Furthermore, the recommendation to limit recursion, while certainly a good idea, doesn't make a big difference in the cost unless you also clamp down on all the programs that act as DNS-query-tunneling tools: SMTP servers, web browsers, etc. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago
This archive was generated by hypermail 2b30 : Sat Nov 30 2002 - 12:07:49 PST