[dns-operations] Clueless Major Backbone Provider
Jon Kibler
Jon.Kibler at aset.com
Tue Jul 22 18:59:55 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I have an 'interesting' situation. I have a client that is dependent
upon a major backbone provider for their recursive DNS services.
However, this provider appears to be next to clueless. They have put out
a notice to their customers which I will now quote in part -- with
vendor identification information deleted:
"On July 8, 2008, US-CERT issued a Technical Cyber Security Alert
TA08-190B with the title 'Multiple DNS implementations vulnerable to
cache poisoning.' ...
The DNS community has been aware of this vulnerability for some time.
CERT technical bulletin http://www.kb.cert.org/vuls/id/252735 issued in
July, 2007, identified this vulnerability but at the time no patches
were available from vendors.
[VENDOR] does not disclose the name of its DNS vendors as a security
measure but has implemented a preliminary patch that was available in
January, 2008. The latest patch for alert TA08-190B is currently being
tested ...
... the majority of [VENDOR]'s caching DNS infrastructures have load
balancers. Load balancers decrease the risk significantly because
hackers are unable to target specific DNS servers."
Questions:
1) How would you address the claims that this vulnerability is the
same as the one from a year ago? (2nd paragraph)
2) Does the use of load balancers decrease the risk as claimed?
(paragraph 4)
Comment:
Note in paragraph 3 the vendor says it does not disclose which name
servers that it uses, but in paragraph 2 gives a link that references
BIND name servers.
TIA for answers to questions.
Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkiGLisACgkQUVxQRc85QlPR9ACffQ8T87dgk15iDvWjO31gB7ia
8bkAn3o9+kMC+7NReHVdOvHwXaO/uxYK
=bl2K
-----END PGP SIGNATURE-----
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
More information about the dns-operations
mailing list