SANS: DNS Bug Now Public?

Phil Regnauld regnauld at
Thu Jul 24 08:45:05 UTC 2008

Joe Abley (jabley) writes:
> Having just seen some enterprise types spend time patching their 
> nameservers, it's also perhaps worth spelling out that "patch" in this case 
> might require more than upgrading resolver code -- it could also involve 
> reconfigurations, upgrades or replacements of NAT boxes too. If your NAT 
> reassigns source ports in a predictable fashion, then no amount of BIND9 
> patching is going to help.

	Case in point, we've got customers running around in circles
	screaming "we need to upgrade, please help us upgrade NOW",
	but they have _3_ layers of routers and firewalls that are hardcoded to
	only allow DNS queries from port 53.

More information about the NANOG mailing list