
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

</head>

<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">

<div>

<div>

<div>Fair points, though once we start down the path of "unknown unknowns" Donald Rumsfeld gets to smile...and we can't have that.</div>

</div>

</div>

<div><br>

</div>

<span id="OLK_SRC_BODY_SECTION">

<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">

<span style="font-weight:bold">From: </span>Damian Menscher <<a href="mailto:damian@google.com">damian@google.com</a>><br>

<span style="font-weight:bold">Date: </span>Tuesday, February 23, 2016 at 1:20 PM<br>

<span style="font-weight:bold">To: </span>michoski <<a href="mailto:michoski@cisco.com">michoski@cisco.com</a>><br>

<span style="font-weight:bold">Cc: </span>"<a href="mailto:dns-operations@dns-oarc.net">dns-operations@dns-oarc.net</a>" <<a href="mailto:dns-operations@dns-oarc.net">dns-operations@dns-oarc.net</a>><br>

<span style="font-weight:bold">Subject: </span>Re: [dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow<br>

</div>

<div><br>

</div>

<div>

<div>

<div dir="ltr">

<div class="gmail_extra">

<div class="gmail_quote">On Tue, Feb 23, 2016 at 10:01 AM, Mike Hoskins (michoski)

<span dir="ltr"><<a href="mailto:michoski@cisco.com" target="_blank">michoski@cisco.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div id=":4mn" class="a3s" style="overflow:hidden">Just in case anyone's wondering, OpenDNS isn't affected.<br>

<br>

<a href="https://engineering.opendns.com/2016/02/17/2980/" rel="noreferrer" target="_blank">https://engineering.opendns.com/2016/02/17/2980/</a></div>

</blockquote>

</div>

<br>

They're not directly vulnerable, but their claim that they protect their users is a bit over-stated -- all RFC-compliant DNS servers provide the same protections (not forwarding packets that don't follow the DNS spec).  The problem is that there *might* be

 a way to exploit this via RFC-compliant DNS packets (I'm personally not convinced, but nobody wants to claim it's impossible).  And that would get past their defenses (and everyone else's).</div>

<div class="gmail_extra"><br>

</div>

<div class="gmail_extra">Additionally, anyone using a remote resolver is vulnerable to a MitM injecting a malicious response, so everyone should upgrade.  Claims that OpenDNS users "aren't affected" are misleading and dangerous.</div>

<div class="gmail_extra"><br>

</div>

<div class="gmail_extra">Damian</div>

</div>

</div>

</div>

</span>

</body>

</html>