[afnog] Big DNS vulnerability
bortzmeyer at nic.fr
Wed Jul 23 08:19:42 UTC 2008
On Wed, Jul 09, 2008 at 11:05:46AM +0200,
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote
a message of 28 lines which said:
> Executive summary: upgrade your recursive name servers ASAP.
The detailed announcement, which was scheduled for August 7th, has
been made in advance (by accident or by desire for fame):
As a result, every cracker on the planet now knows how to write an
exploit. So, we can expect actual uses of the vulnerability at any
moment. And it is a serious one.
> For BIND users (do note that several vendors who ship BIND already
> have the upgraded version, for instance Debian and Gentoo):
> For Microsoft users:
> For Cisco users:
Patching is therefore now URGENT. According to this survey:
many big ISP in the USA are STILL vulnerable (I do not know if someone
performed the same survey in Africa but I suspect it will not be much
Only one message: if not patched yet, PATCH NOW.
To test if the resolver is relatively secure, the best Web tool is:
and the best command-line tool is dig :-)
dig @X.Y.Z.T +short porttest.dns-oarc.net TXT
More information about the afnog