| |
|
|
Internet Systems Consortium Information for VU#800113
Vendor StatementISC is providing patches for BIND 9.3, 9.4 and 9.5 (tagged -P1) thatimplement measures to enhance resilience against this sort of attack. BIND accomplishes this by including the use of the source port queries as additional information that would need to be predicted by a successful attack. ISC is also making beta releases, BIND 9.5.1b1 and 9.4.3b2 available for download and testing. These beta releases provide the same improved resiliency as the patches but with better performance for servers with query volumes at or above 10,000 queries per second. They are however betas, not fully tested production releases. The patches,(P1 versions), are fully tested today and released for production use. Older versions of BIND 9 and BIND 8 will not be patched as they are EOL. ISC notes that even with these measures, the nature of the DNS protocol is such that attacks of this nature may still succeed. The only solution to fully counter this sort of attack is to deploy DNSSEC in DNS zones and enable DNSSEC validation in the resolvers. Vendor InformationAddendumThere are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email. |
 | |||||||||||||||||
 |
||||||||||||||||||||
