SANS: DNS Bug Now Public?

• Previous message (by thread): SANS: DNS Bug Now Public?
• Next message (by thread): SANS: DNS Bug Now Public?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Joe Abley (jabley) writes:
>
> Having just seen some enterprise types spend time patching their 
> nameservers, it's also perhaps worth spelling out that "patch" in this case 
> might require more than upgrading resolver code -- it could also involve 
> reconfigurations, upgrades or replacements of NAT boxes too. If your NAT 
> reassigns source ports in a predictable fashion, then no amount of BIND9 
> patching is going to help.

	Case in point, we've got customers running around in circles
	screaming "we need to upgrade, please help us upgrade NOW",
	but they have _3_ layers of routers and firewalls that are hardcoded to
	only allow DNS queries from port 53.

• Previous message (by thread): SANS: DNS Bug Now Public?
• Next message (by thread): SANS: DNS Bug Now Public?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]