Insecure DNS servers on PG infrastructure

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-www(at)postgreSQL(dot)org
Subject: Insecure DNS servers on PG infrastructure
Date: 2008-07-25 15:02:03
Message-ID: 26210.1216998123@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-www

I just noted that cvs.postgresql.org and svr1.postgresql.org are not
running the latest bind release, which means that they are vulnerable to
the DNS cache poisoning attack recently discovered by Dan Kaminsky.
Vixie and co think this is a pretty big deal, so folks might want to
update sooner rather than later.
http://www.kb.cert.org/vuls/id/800113

BTW, there is an excellent end-to-end test available for whether the
security fix (port randomization) is actually working for you:

dig @server-to-test porttest.dns-oarc.net in txt

This takes a few seconds (they've arranged it to force multiple queries
from the tested server) and gives you back a readout of how many ports
those queries arrived from and the spread in the port addresses.
A good result looks about like this:

;; ANSWER SECTION:
porttest.dns-oarc.net. 60 IN CNAME z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. 60 IN TXT "66.207.139.134 is GOOD: 26 queries in 2.3 seconds from 26 ports with std dev 17102.06"

If it says FAIR or POOR then you have an unpatched server or there
is something interfering with the port randomization. If the server
is behind a NAT firewall then the latter is entirely likely.

regards, tom lane

Responses

Browse pgsql-www by date

  From Date Subject
Next Message Joshua D. Drake 2008-07-25 15:26:01 Re: Insecure DNS servers on PG infrastructure
Previous Message Peter Eisentraut 2008-07-23 13:43:53 Re: PostgreSQL GIT repository