On Tue, 8 Jul 2008 22:43:54 -0300 Henrique de Moraes Holschuh <[EMAIL PROTECTED]> wrote:
> On Tue, 08 Jul 2008, Florian Weimer wrote: > > 1. Install a local BIND 9 resoler on the host, possibly in > > forward-only mode. BIND 9 will then use source port randomization > > when sending queries over the network. (Other caching resolvers can > > be used instead.) > > > > 2. Rely on IP address spoofing protection if available. Successful > > attacks must spoof the address of one of the resolvers, which may > > not be possible if the network is guarded properly against IP > > spoofing attacks (both from internal and external sources). > > 3. Install lwresd from an updated BIND9, install libnss-lwres, and > replace "dns" with "lwres" in /etc/nsswitch.conf. Make sure to > restart lwres when /etc/resolv.conf changes. Hmm... libnss-lwres is orphaned (#475089), and is uninstallable on sid. -- Hubert Chathi <[EMAIL PROTECTED]> -- Jabber: [EMAIL PROTECTED] PGP/GnuPG key: 1024D/124B61FA http://www.uhoreg.ca/ Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
