Subject: | |
From: | |
Reply To: | |
Date: | Thu, 24 Jul 2008 09:37:59 -0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
I just read in the newspaper there is a "virus" running
around that affects DNS that operate with a cache or resolver server.
So we could all be vulnerable to cache poisoning or spoofing.
Take a look at
http://www.kb.cert.org/vuls/id/800113
http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php
http://www.microsoft.com/technet/security/Bulletin
http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml
http://news.oreilly.com/2008/07/dan-kaminsky-upgrade-your-dns.html
Fernando Rannou
On Thu, 2008-07-24 at 00:43 -0700, Keith Lofstrom wrote:
> On Wed, Jul 23, 2008 at 12:07:06AM -0700, Keith Lofstrom wrote:
> >
> > There was a flurry of upgrades to BIND/named about a week ago. Over
> > the last few days, I have noticed a few DNS failures (but that may
> > be coincidental). I am learning to read debug output and developing
> > a better understanding of named.conf (set up by a consultant 5 years
> > ago) and so on, but meanwhile, is anyone else having problems?
> >
> > Try "dig ns1.hostica.com +trace" and see if it fails.
> >
> > Keith
>
> In my case, it turned out to me a couple of things. The DNS UDP
> packets seem to be a bit longer now. I am currently connected to
> Verizon FIOS through an Actiontec cable modem/router, which some
> websites say truncates UDP packets to 512 bytes, in accordance
> with RFC negative 666. :-) That caused problems with hostica
> and others. I changed /etc/named.conf to a policy of forward
> first, and used the Verizon nameservers as forwarders, taking out
> the lookup through the root nameservers. Verizon does some goofy
> things with nonexistent URLs, but I can live with that for now.
>
> Keith
>
> --
> Keith Lofstrom [log in to unmask] Voice (503)-520-1993
> KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
> Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs
>
--
Este mensaje ha sido analizado por MailScanner
en busca de virus y otros contenidos peligrosos,
y se considera que está limpio.
MailScanner agradece a transtec Computers por su apoyo.
|
|
|