mailing list archives
Re: how to protect name servers against cache corruption
From: Karl Denninger <karl () Mcs Net>
Date: Tue, 22 Jul 1997 21:06:12 -0500
On Tue, Jul 22, 1997 at 01:24:59PM -0700, Paul A Vixie wrote:
a BIND 4.9.6 or 8.1.1 server is immune. so, you could upgrade. to so do,
see http://www.isc.org/isc/ which will lead you to ftp://ftp.isc.org/isc/.
(the root name servers are all running modern software at this point.)
alternic's corruption works by locating authoritative name servers via the
"NS RR"'s published in various zones. if you run these as authoritative-
only (recursion disabled) then they will never fetch any data from anywhere.
(the root name servers are configured this way, for example.) the downside
is that you can't list such nameservers in your "resolv.conf" files or PC
equivilents (Control Panel\\Networking\\TCP IP Settings, or some such rot.)
this means you need more name servers if you separate recursive from non-
Well, Alternic's persona-non-grata (Eugene) is about to find himself in a
LOT of hot water for what he's done.
I have been told by a media figure who called me that the civil charges,
including a petition to seize *all* of his hardware, are being read
tomorrow. I expect that there may be criminal issues involved here
Playing "hahaha, www.biteme.eugene resolves now" is a childish prank of
no significance. Hijacking someone else's web site using the same trick,
however, is an entirely different thing and is no laughing matter.
I'm with Paul on this one (see, Paul, we can agree on something once in a
while :-) -- update your code to either 4.9.6 or (preferrably) 8.1.1
Karl Denninger (karl () MCS Net)| MCSNet - The Finest Internet Connectivity
http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service
| 99 Analog numbers, 77 ISDN, http://www.mcs.net/
Voice: [+1 312 803-MCS1 x219]| NOW Serving 56kbps DIGITAL on our analog lines!
Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal