public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: [email protected]
Subject: Insecure DNS servers on PG infrastructure
Date: Fri, 25 Jul 2008 11:02:03 -0400
Message-ID: <[email protected]> (raw)
I just noted that cvs.postgresql.org and svr1.postgresql.org are not
running the latest bind release, which means that they are vulnerable to
the DNS cache poisoning attack recently discovered by Dan Kaminsky.
Vixie and co think this is a pretty big deal, so folks might want to
update sooner rather than later.
http://www.kb.cert.org/vuls/id/800113
BTW, there is an excellent end-to-end test available for whether the
security fix (port randomization) is actually working for you:
dig @server-to-test porttest.dns-oarc.net in txt
This takes a few seconds (they've arranged it to force multiple queries
from the tested server) and gives you back a readout of how many ports
those queries arrived from and the spread in the port addresses.
A good result looks about like this:
;; ANSWER SECTION:
porttest.dns-oarc.net. 60 IN CNAME z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. 60 IN TXT "66.207.139.134 is GOOD: 26 queries in 2.3 seconds from 26 ports with std dev 17102.06"
If it says FAIR or POOR then you have an unpatched server or there
is something interfering with the port randomization. If the server
is behind a NAT firewall then the latter is entirely likely.
regards, tom lane
view thread (11+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected]
Subject: Re: Insecure DNS servers on PG infrastructure
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox