[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using bind9 to protect resolvers

To: greg@nest.cx (Gregory Steuck)
Subject: Re: using bind9 to protect resolvers
From: Darren Reed <avalon@coombs.anu.edu.au>
Date: Sat, 29 Jun 2002 12:45:07 +1000 (Australia/ACT)
Cc: misc@openbsd.org

In some mail from Gregory Steuck, sie said:
> 
> >>>>> "Darren" == Darren Reed <avalon@coombs.anu.edu.au> writes:
> 
>     Darren> There was a post elsewhere that using BIND 9 as a forwarder
>     Darren> will negate this threat as BIND 9 reconnstructs all DNS
>     Darren> queries/replies, hence dismantling the buffer overflow.
> 
>     Darren> So if you can't upgrade everything's libc, just forcing
>     Darren> everything to send/receive DNS stuff through a BIND 9 named
>     Darren> will provide protection from this attack.
> 
> In such a case I could imagine dnscache from djbdns would work just as
> well? Anybody can confirm this?

Others have mentioned that neither will work because the bug exploits a
problem in the counter about how much is used in the buffer is what's
wrong, along with an alignment problem.  *shrug*  my comment was based
on a comment from Mark Andrews on one of the freebsd lists (he's done
significant amounts of work inside BIND, over the years).

I guess the best thing you can do is upgrade as much as you can, as always.

References:
- Re: using bind9 to protect resolvers
  - From: Gregory Steuck <greg@nest.cx>

Prev by Date: wireless hostap and Macs
Next by Date: authpf question
Prev by thread: Re: using bind9 to protect resolvers
Next by thread: heads up: 802.11b cards to avoid
Index(es):
- Date
- Thread