[dns-operations] Clueless Major Backbone Provider

Jon Kibler Jon.Kibler at aset.com
Tue Jul 22 18:59:55 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have an 'interesting' situation. I have a client that is dependent
upon a major backbone provider for their recursive DNS services.
However, this provider appears to be next to clueless. They have put out
a notice to their customers which I will now quote in part -- with
vendor identification information deleted:

"On July 8, 2008, US-CERT issued a Technical Cyber Security Alert
TA08-190B with the title 'Multiple DNS implementations vulnerable to
cache poisoning.' ...

The DNS community has been aware of this vulnerability for some time.
CERT technical bulletin http://www.kb.cert.org/vuls/id/252735 issued in
July, 2007, identified this vulnerability but at the time no patches
were available from vendors.

[VENDOR] does not disclose the name of its DNS vendors as a security
measure but has implemented a preliminary patch that was available in
January, 2008. The latest patch for alert TA08-190B is currently being
tested ...

... the majority of [VENDOR]'s caching DNS infrastructures have load
balancers.  Load balancers decrease the risk significantly because
hackers are unable to target specific DNS servers."


Questions:
   1) How would you address the claims that this vulnerability is the
same as the one from a year ago? (2nd paragraph)

   2) Does the use of load balancers decrease the risk as claimed?
(paragraph 4)

Comment:
   Note in paragraph 3 the vendor says it does not disclose which name
servers that it uses, but in paragraph 2 gives a link that references
BIND name servers.


TIA for answers to questions.

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiGLisACgkQUVxQRc85QlPR9ACffQ8T87dgk15iDvWjO31gB7ia
8bkAn3o9+kMC+7NReHVdOvHwXaO/uxYK
=bl2K
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

More information about the dns-operations mailing list