cmbe
27-08-2008, 12:13
Hi,
Do you have or intend to have a fix concerning this dreadful subject?
Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released
[URL="http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/"]
And please check the dnsmasq Changelog [http://www.thekelleys.org.uk/dnsmasq/CHANGELOG]:
version 2.43 [11-Jul-2008]:
...
Implement random source ports for interactions with upstream nameservers. New spoofing attacks have been found against nameservers which do not do this, though it is not clear if dnsmasq is vulnerable, since to doesn't implement recursion. By default dnsmasq will now use a different source port (and socket) for each query it sends upstream. This behaviour can suppressed using the --query-port option, and the old default behaviour restored using --query-port=0. Explicit source-port specifications in --server configs are still honoured. Replace the random number generator, for better security. On most BSD systems, dnsmasq uses the arc4random() RNG, which is secure, but on other platforms, it relied on the C-library RNG, which may be guessable and therefore allow spoofing. This release replaces the libc RNG with the SURF RNG, from Daniel J. Berstein's DJBDNS package.
Do you have or intend to have a fix concerning this dreadful subject?
Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released
[URL="http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/"]
And please check the dnsmasq Changelog [http://www.thekelleys.org.uk/dnsmasq/CHANGELOG]:
version 2.43 [11-Jul-2008]:
...
Implement random source ports for interactions with upstream nameservers. New spoofing attacks have been found against nameservers which do not do this, though it is not clear if dnsmasq is vulnerable, since to doesn't implement recursion. By default dnsmasq will now use a different source port (and socket) for each query it sends upstream. This behaviour can suppressed using the --query-port option, and the old default behaviour restored using --query-port=0. Explicit source-port specifications in --server configs are still honoured. Replace the random number generator, for better security. On most BSD systems, dnsmasq uses the arc4random() RNG, which is secure, but on other platforms, it relied on the C-library RNG, which may be guessable and therefore allow spoofing. This release replaces the libc RNG with the SURF RNG, from Daniel J. Berstein's DJBDNS package.