SANS: DNS Bug Now Public?
Phil Regnauld
regnauld at catpipe.net
Thu Jul 24 08:45:05 UTC 2008
Joe Abley (jabley) writes:
>
> Having just seen some enterprise types spend time patching their
> nameservers, it's also perhaps worth spelling out that "patch" in this case
> might require more than upgrading resolver code -- it could also involve
> reconfigurations, upgrades or replacements of NAT boxes too. If your NAT
> reassigns source ports in a predictable fashion, then no amount of BIND9
> patching is going to help.
Case in point, we've got customers running around in circles
screaming "we need to upgrade, please help us upgrade NOW",
but they have _3_ layers of routers and firewalls that are hardcoded to
only allow DNS queries from port 53.
More information about the NANOG
mailing list