Hi -
It's well known that Dan Kaminsky is going to present a significant
development regarding a caching exploit against DNS at Blackhat this
year. For anyone who has not patched their DNS servers, here is a
strategy for adding a single iptables "SNAT --random" rule to mitigate
the attack (for those DNS servers deployed on or behind a system running
Linux):
http://www.cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.htmlOther firewall architectures support similar functionality as well.
--
Michael Rash
http://www.cipherdyne.org/Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
