Re: [squid-users] [UPDATED] Advisory SQUID-2010:1 - Denial of Service issue in DNS handling

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 03 Feb 2010 22:41:52 +1300

Mikio Kishi wrote:
> Hi, Amos
>
>> Workarounds:
>>
>> Using all of the following steps are required to protect a
>> vulnerable Squid from this and other forms of DNS attack.
>>
>> * Ensuring the ignore_unknown_nameservers is turned on.
>>
>> * Ensuring that DNS packets cannot be sent to Squid from
>> untrusted nameservers or other machines.
>>
>> The most secure implementation of these requirements is to use
>> a nameserver running on the localhost IP dedicated for secure use
>> by Squid and any other services on the Squid machine.
>
> I'd like to make sure above. "The most secure implementation" mean that
>
> - The ignore_unknown_nameservers is turned on (default)
>
> - The /etc/resolv.conf on squid server is following
> nameserver 127.0.0.1
>
> - The localhost nameserver on squid server is just only cache
> server which is like BIND.
>
> Is is correct ?
>
> Sincerely,
>
> --
> Mikio Kishi
>

Yes.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23
   Current Beta Squid 3.1.0.16
Received on Wed Feb 03 2010 - 09:42:02 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 03 2010 - 12:00:02 MST