DNS doozy, is there a 6.5.22m fix for this?

[porter]

Bigger than Ben Hur, bigger than Debian's ssh keys,

http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/

Is there a 6.5.22m fix for this?

[nekonoko]

I updated BIND9 in Nekoware with the fix.

[porter]

Does that replace standard the client resolver library? Or is it a server only fix?

[nekonoko]

It's the standard BIND server package with the required patch.

[porter]

It's the standard BIND server package with the required patch.

Sorry to be pedantic, but is this a "neko_bind" or does this actually replace the resolver used by SGI compiled programs?

[nekonoko]

It's neko_bind of course, but my understanding is that by running a local caching nameserver, the local resolver won't need to reach out to a malicious source. At least that was my interpretation of:

Run a local DNS cache

In lieu of strong port randomization characteristics in a stub resolver, administrators can protect their systems by using local caching full-service resolvers, both on the client systems and on servers that are topologically close on the network to the client systems, in conjunction with the network segmentation and filtering strategies mentioned above.

http://www.kb.cert.org/vuls/id/800113

This is, of course, what I do here.

[mgtremaine]

I saw this test floating around another list it is worth having.

https://www.dns-oarc.net/


dig +short porttest.dns-oarc.net TXT

In windows you can use nslookup
> nslookup
> set type=txt
> porttest.dns-oarc.net

All the linux boxes I patched are fine [yeah!] but the Solaris 10 box I did yesterday is still poor [it did ask for reboot so as soon as I do that I hope it fixes up.] You can try the nslookup under IRIX to see if your server/workstation is ok.

-Mike

[nekonoko]

Cool, my IRIX systems came back with GOOD on that test

[SAQ]

It's coming up on a month - any news of a SGI patch for any IRIX version?

[mgtremaine]

"IRIX? Never heard of it." Says the SGI salesman.

-Mike

[SAQ]

I suppose that technically you're unlikely to run into any future issues if you install the Nekoware BIND and run links to the IRIX BIND - after all the future upgrades potential of IRIX is limited, but there's a part of me that wants to keep it as original as possible.

[porter]

I was under the impression this also required a client fix (so that the magic number in the DNS packet sent was randomized rather than incremented) so that would need a change to libc.so and/or libnsl.so.

[josehill]

Might be worth it if a Nekochanner with a service contract opens a case just to get the scoop on when/whether there will be an official fix or a workaround. Unfortunately, I let my contract lapse a little while ago...

[josehill]

I was under the impression this also required a client fix (so that the magic number in the DNS packet sent was randomized rather than incremented) so that would need a change to libc.so and/or libnsl.so.

Brief discussion of this in the OS X Leopard context at http://db.tidbits.com/article/9721 , presumably IRIX could be similar.

[hamei]

Cool, my IRIX systems came back with GOOD on that test

Heh heh

Code: Select all

text = "208.67.219.13 is GREAT: 26 queries in 0.1 seconds from 26 ports with std dev 18595"