On Wednesday 09 July 2008 14:16:53 Jay R. Ashworth wrote:
On Wed, Jul 09, 2008 at 04:39:49AM -0400, Jean-Fran?ois Mezei wrote:
My DNS server made the various DNS requests from the same port and is thus vulnerable. (VMS TCPIP Services so no patches expected).
Well, yes, but unless I've badly misunderstood the situation, all that's necessary to mitigate this bug is to interpose a non-buggy recursive resolver between the broken machine and the Internet at large, right?
He said "DNS server", which you wouldn't want to point at a correct named, because that would be forwarding, and forwarding has its own security issues. I've already dragged a name server here back to a supported OS version today because of this, don't see why others should escape ;)