SANS: DNS Bug Now Public?

Phil Regnauld regnauld at catpipe.net
Thu Jul 24 03:45:05 CDT 2008


Joe Abley (jabley) writes:
>
> Having just seen some enterprise types spend time patching their 
> nameservers, it's also perhaps worth spelling out that "patch" in this case 
> might require more than upgrading resolver code -- it could also involve 
> reconfigurations, upgrades or replacements of NAT boxes too. If your NAT 
> reassigns source ports in a predictable fashion, then no amount of BIND9 
> patching is going to help.

	Case in point, we've got customers running around in circles
	screaming "we need to upgrade, please help us upgrade NOW",
	but they have _3_ layers of routers and firewalls that are hardcoded to
	only allow DNS queries from port 53.




More information about the NANOG mailing list