Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

DNS caching exploit defense with iptables

From: Michael Rash <mbr () cipherdyne org>
Date: Tue, 15 Jul 2008 21:58:19 -0400
Hi -

It's well known that Dan Kaminsky is going to present a significant
development regarding a caching exploit against DNS at Blackhat this
year.  For anyone who has not patched their DNS servers, here is a
strategy for adding a single iptables "SNAT --random" rule to mitigate
the attack (for those DNS servers deployed on or behind a system running
Linux):

http://www.cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html

Other firewall architectures support similar functionality as well.

--
Michael Rash
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
Previous By Date Next
Previous By Thread Next

Current thread: