[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: More Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-15 Denial-of-Service Vulnerabilityin ISC BIND 9
- Subject: Re: More Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-15 Denial-of-Service Vulnerabilityin ISC BIND 9
- From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
- Date: Wed Jun 5 09:08:00 2002
- Organization: nobaloney.net
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
"E.B. Dreger" wrote:
> I disagree. Someone could DoS it once every five seconds.
My point was that the secondary would still be running; yes I suppose I
overlooked the fact that you could be DoSsed on both primary and
secondary servers, but our servers aren't vulnerable.
> Run non-vulnerable software.
We do run a non-vulnerable (to this exploit anyway <wry grin>) version
of Bind, as does everyone else running stock or close-to-stock RaQs
through at leat RaQ4; I don't know about the RaQ XTR or the 550.
Is there a DNS server for linux you like better? I'm willing to switch
<smile> as long as management is both easy and automatable. We host a
lot of master and slave DNS for a lot of clients, and I do need to be as
secure as possible.
> Consider running honeypots.
I'm not sure I understand how I'd do that with DNS. We're in the midst
of switching now to a system where the master is behind a firewall, and
all the published nameservers are slaves, but I don't believe that's
security enough.
Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA 92517
voice: (909) 778-9980 * fax: (702) 548-9484