* Noah Meyerhans: > On Wed, Jul 09, 2008 at 06:10:51PM +0200, Wolfgang Jeltsch wrote: >> > At this time, it is not possible to implement the recommended >> > countermeasures in the GNU libc stub resolver. >> >> I don???t have bind9 installed. Am I affected by the libc stub resolver bug? > > Yes. I suggest that you install bind9, configure it to only listen on > 127.0.0.1, and add "nameserver 127.0.0.1" to resolv.conf before any > other nameserver lines (since they're queried in order).
On the hand, if you don't build a network of your own, and your ISP properly filters their Internet connection and their customer interfaces to stop source address spoofing, it's not possible forge DNS traffic which claims to come from the ISP resolver. (Since the addresses involved are theirs, they can actually do it--globally, on the whole Internet, it's much more difficult.) So in many cases, countermeasures aren't really necessary. On the other hand, the amount of filtering varies greatly from region to region, and even from ISP to ISP. Certainly, there are some broadband deployments with shockingly little filtering, and customers can attack each other in these cases (but only by spoofing blindly). That's why we're looking into providing a libc update. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
