[nsp-sec] Solutions for the DNS vul?
Mike Tancsa
mike at sentex.net
Thu Jul 24 07:48:25 EDT 2008
At 07:35 AM 7/24/2008, Jose Nazario wrote:
>----------- nsp-security Confidential --------
>
>On Thu, 24 Jul 2008, Yonglin ZHOU wrote:
>
>>Beside patching the dns servers, any other supplementary
>>countermeasures?
>
>NAT/PAT devices that can randomize the source port independent of
>the client on the other side of it should help provide that sport
>randomization that the patches add. OpenBSD's PF can do this, as an
>example, i don't know which other NAT/PAT devices can. here's how it
>looks in OpenBSD:
>
> http://blog.spoofed.org/2008/07/mitigating-dns-cache-poisoning-with-pf.html
>
It also works with pf on FreeBSD. I ran it for a few days on a
number of our servers prior to patching. Another option might be to
change the problem name servers to talk to a forwarder for all new
recursive queries.
---Mike
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet
>security counter-measures.
>_______________________________________________
>
>--
>-------------------------------------------------------------
>jose nazario, ph.d. <jose at arbor.net>
>security researcher, office of the CTO, arbor networks
>v: (734) 821 1427 http://asert.arbornetworks.com/
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet
>security counter-measures.
>_______________________________________________
More information about the nsp-security
mailing list