North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: SANS: DNS Bug Now Public?
Joe Abley (jabley) writes: > > Having just seen some enterprise types spend time patching their > nameservers, it's also perhaps worth spelling out that "patch" in this case > might require more than upgrading resolver code -- it could also involve > reconfigurations, upgrades or replacements of NAT boxes too. If your NAT > reassigns source ports in a predictable fashion, then no amount of BIND9 > patching is going to help. Case in point, we've got customers running around in circles screaming "we need to upgrade, please help us upgrade NOW", but they have _3_ layers of routers and firewalls that are hardcoded to only allow DNS queries from port 53.