Quick question - If you don't implement a patch are you leaving yourself exposed to a DOS attack? A simple perl script enumerating random domains and digging at an ISP server could probably fill a DNS cache over a period of time. (It would eventually fall over I guess...) Rob -----Original Message----- From: Nic Bellamy [mailto:nic(a)bellamy.co.nz] Sent: Wednesday, 17 September 2003 10:25 a.m. To: nznog(a)list.waikato.ac.nz On Wed, 2003-09-17 at 09:29, Joe Abley wrote:
On Monday, Sep 15, 2003, at 23:58 Canada/Eastern, Juha Saarinen wrote:
Brent McDowell wrote:
For those of you who use djbdns, a patch has been released that rejects A records that resolve to 64.94.110.11. It'll return NXDOMAIN. http://tinydns.org/djbdns-1.05-ignoreip.patch
Anything for BIND 9?
I am told an official patch is being tested right now.
In the interim, there's a patch floating around for bind9 - haven't found an
official site for it, so I've chucked it up at:
http://www.bellamy.co.nz/stuff/bind9-antiverisign.patch
I can confirm it Works For Me(tm) (even if it's done in a rather ugly
manner).
Cheers,
Nic.
--
Nic Bellamy