Re: large organization nameservers sending icmp packets to dns servers.
I suspect that the origin of the myth that DNS/TCP is more dangerous than DNS/UDP is that the first root expliot of named was over TCP not UDP. There were later exploits that were UDP only which totally busted the myth but it continues to live. Mark
In article <200708100143.l7A1hNSY034263@drugs.dv.isc.org> you write:
I suspect that the origin of the myth that DNS/TCP is more dangerous than DNS/UDP is that the first root expliot of named was over TCP not UDP. There were later exploits that were UDP only which totally busted the myth but it continues to live.
Mark
Just to make it clear. This was BIND 4/8 code and the bugs were addressed in the last millennia. To date there are no known root exploits for BIND 9. Mark
On 8/9/2007 at 10:07 PM, Mark Andrews <Mark_Andrews@isc.org> wrote:
In article <200708100143.l7A1hNSY034263@drugs.dv.isc.org> you write:
I suspect that the origin of the myth that DNS/TCP is more dangerous than DNS/UDP is that the first root expliot of named was over TCP not UDP. There were later exploits that were UDP only which totally busted the myth but it continues to live.
Mark
Just to make it clear. This was BIND 4/8 code and the bugs were addressed in the last millennia.
To date there are no known root exploits for BIND 9.
Because who runs BIND as root anymore? -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387 BĀ¼information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com
On 8/9/2007 at 10:07 PM, Mark Andrews <Mark_Andrews@isc.org> wrote:
In article <200708100143.l7A1hNSY034263@drugs.dv.isc.org> you write:
I suspect that the origin of the myth that DNS/TCP is more dangerous than DNS/UDP is that the first root expliot of named was over TCP not UDP. There were later exploits that were UDP only which totally busted the myth but it continues to live.
Mark
Just to make it clear. This was BIND 4/8 code and the bugs were addressed in the last millennia.
To date there are no known root exploits for BIND 9.
Because who runs BIND as root anymore?
Lots of people. It's the only way you can handle some events. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
participants (2)
-
Crist Clark
-
Mark Andrews