Quoting Hideki Yamane ([EMAIL PROTECTED]):
> I want to know that, too.
> Should ALL systems (servers or desktops/laptops) need to be installed
> and configure bind9 (or something) package, or need to wait for update?
My own preference is, indeed, to have one of the following as a local
recursive resolver:
o MaraDNS's recursor module (not enabling the authoritative
zoneserver): Author built in a custom RNG from the beginning
o Unbound: Author built in a custom RNG from the beginning
o dnscache from djbdns: built in a custom RNG from the beginning, _and_
the author made a point of warning everyone else of the pitfall
but you have to put up with djb weirdness, apply patches, etc.)
o PowerDNS Recursor: Retrofitted a custom RNG in March 2008, after
the Kaminsky issue emerged behind closed doors, which is better than
nothing but doesn't lend confidence. (OTOH, it's small, light,
and easy to install/configure.)
o BIND9 run just for its recursive-resolver functions (but it's
bloated, slow, overfeatured, and ignored the issue for years)
I'd lock the host's DNS client via /etc/resolv.conf to query only
localhost. At that point, client weaknesses in source port
randomisation becomes a non-issue.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
