[gentoo-user] DNS Server Patches

[gentoo-user] DNS Server Patches

[Dan Farrell]

The recently released (early july) advisory on the DNS exploits
discovered earlier this year have caused a bit of stir on the
BIND mailing lists, and rightly so.  Everybody on board with this one?  

CERT Bulletin:

http://www.kb.cert.org/vuls/id/800113

Dan Kiersky's own description, and web-based nameserver checker:

http://www.doxpara.com/

Alternate web-based nameserver checker (recommended by me! )

https://www.dns-oarc.net/oarc/services/dnsentropy

If your nameservers aren't updated, do so!  If your ISP's nameservers
aren't updated, hound them relentlessly until they are!  This is the
only way we can all protect the validity of our clients and our own
data.  

Re: [gentoo-user] DNS Server Patches

[Norberto Bensa]

Quoting Dan Farrell <dan@spore.ath.cx>:

> Dan Kiersky's own description, and web-based nameserver checker:
>
> http://www.doxpara.com/
>
> Alternate web-based nameserver checker (recommended by me! )
>
> https://www.dns-oarc.net/oarc/services/dnsentropy

I don't get these tests. Why do they probe _my_ IP and not the IP of  
my DNS servers? What's the point on probing me if _maybe_ the servers  
are not patched?

Thanks,
Norberto

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

[gentoo-user] Re: DNS Server Patches

[Nikos Chantziaras]

Norberto Bensa wrote:
> Quoting Dan Farrell <dan@spore.ath.cx>:
> 
>> Dan Kiersky's own description, and web-based nameserver checker:
>>
>> http://www.doxpara.com/
>>
>> Alternate web-based nameserver checker (recommended by me! )
>>
>> https://www.dns-oarc.net/oarc/services/dnsentropy
> 
> I don't get these tests. Why do they probe _my_ IP and not the IP of my 
> DNS servers? What's the point on probing me if _maybe_ the servers are 
> not patched?

Er, they *do* test the IP of your DNS server.  At least that's case 
here; it successfully tested my ISP's DNS (and told me it sucks and is 
vulnerable).

Re: [gentoo-user] DNS Server Patches

[Stroller]

On 28 Jul 2008, at 12:08, Norberto Bensa wrote:

> Quoting Dan Farrell <dan@spore.ath.cx>:
>
>> Dan Kiersky's own description, and web-based nameserver checker:
>>
>> http://www.doxpara.com/
>>
>> Alternate web-based nameserver checker (recommended by me! )
>>
>> https://www.dns-oarc.net/oarc/services/dnsentropy
>
> I don't get these tests. Why do they probe _my_ IP and not the IP  
> of my DNS servers? What's the point on probing me if _maybe_ the  
> servers are not patched?

Wild guess: the problem is with the client mode of operation. DNS  
servers are affected because their clients to the root name-servers.

I think this vulnerability highlights the issue of using servers that  
you TRUST.

It applies to other vulnerabilities, too. It doesn't matter if you  
revoke your SSH key and upload it to OpenForge if the OpenForge  
server itself is trusting an insecure SSH key, and an attacker can  
use it to get at your account that way.

Stroller.

Re: [gentoo-user] Re: DNS Server Patches

[Norberto Bensa]

> Norberto Bensa wrote:
>>
>> I don't get these tests. Why do they probe _my_ IP and not the IP   
>> of my DNS servers? What's the point on probing me if _maybe_ the   
>> servers are not patched?
>

Heh... I'm Sorry. I sometimes forget I run my own DNS servers :)

After changing my /etc/resolv.conf, I got my ISP's servers tested.  
They are patched.

Regards,
Norberto

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.