{"id":"DSA-1604-1","summary":"bind - DNS cache poisoning","details":"\nDan Kaminsky discovered that properties inherent to the DNS protocol\nlead to practical DNS cache poisoning attacks. Among other things,\nsuccessful attacks can lead to misdirected web traffic and email\nrerouting.\n\n\nThe BIND 8 legacy code base could not be updated to include the\nrecommended countermeasure (source port randomization, see\n[DSA-1603-1](dsa-1603)\nfor details). There are two ways to deal with this situation:\n\n\n1. Upgrade to BIND 9 (or another implementation with source port\nrandomization). The documentation included with BIND 9 contains a\nmigration guide.\n\n\n2. Configure the BIND 8 resolver to forward queries to a BIND 9\nresolver. Provided that the network between both resolvers is trusted,\nthis protects the BIND 8 resolver from cache poisoning attacks (to the\nsame degree that the BIND 9 resolver is protected).\n\n\nThis problem does not apply to BIND 8 when used exclusively as an\nauthoritative DNS server. It is theoretically possible to safely use\nBIND 8 in this way, but updating to BIND 9 is strongly recommended.\nBIND 8 (that is, the bind package) will be removed from the etch\ndistribution in a future point release.\n\n\n","modified":"2022-07-04T02:00:31.190300Z","published":"2008-07-08T00:00:00Z","withdrawn":"2024-05-15T05:36:14.040574Z","schema_version":"1.7.3"}