[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: using bind9 to protect resolvers
In some mail from Gregory Steuck, sie said:
> >>>>> "Darren" == Darren Reed <firstname.lastname@example.org> writes:
> Darren> There was a post elsewhere that using BIND 9 as a forwarder
> Darren> will negate this threat as BIND 9 reconnstructs all DNS
> Darren> queries/replies, hence dismantling the buffer overflow.
> Darren> So if you can't upgrade everything's libc, just forcing
> Darren> everything to send/receive DNS stuff through a BIND 9 named
> Darren> will provide protection from this attack.
> In such a case I could imagine dnscache from djbdns would work just as
> well? Anybody can confirm this?
Others have mentioned that neither will work because the bug exploits a
problem in the counter about how much is used in the buffer is what's
wrong, along with an alignment problem. *shrug* my comment was based
on a comment from Mark Andrews on one of the freebsd lists (he's done
significant amounts of work inside BIND, over the years).
I guess the best thing you can do is upgrade as much as you can, as always.