Posts tagged Linux

Domain Name Server patch

0
July 13, 2008
by Michael McNamara in

O'Reilly DNS and BIND Last week there was a flurry of information revolving around a new security flaw in the Domain Name System — software that acts as the central nervous system for the entire Internet.

On Tuesday July 10, 2008 a number of vendors including Microsoft, Cisco, Juniper and RedHat released patches and/or acknowledged the flaw existed. The Internet Software Consortium, the group responsible for development of the popular Berkeley Internet Domain Named (BIND) server from which nearly all DNS offshoots are based, also acknowledged the flaw and released a patch.

I personally spent about 90 minutes on last Wednesday updating several internal and external systems including numerous CentOS v5.2 servers and Windows 2003 Service Pack 2 servers. I was unable to find any mention of the DNS flaw on the Alcatel-Lucent website so I’ll probably need to place a call concerning Alcaltel-Lucent’s VitalQIP product.

I used yum to patch the CentOS Linux servers ["yum update"] and then just restarted the named process ["service named restart"]. On the Windows 2003 Service Pack 2 servers I used Windows Update to download and install KB941672 after which I rebooted the servers.

Here are some references:

http://www.theregister.co.uk/2008/07/09/dns_fix_alliance/
http://www.networkworld.com/news/2008/071008-patch-domain-name-servers-now.html
http://www.networkworld.com/news/2008/070808-dns-flaw-disrupts-internet.html

http://www.networkworld.com/podcasts/newsmaker/2008/071108nmw-dns.html

http://www.us-cert.gov/cas/techalerts/TA08-190B.html
http://www.microsoft.com/technet/security/bulletin/MS07-062.mspx

I would strongly suggest that all network administrators start looking into patching their DNS servers as soon as possible.

Cheers!

UPDATE: July 14, 2008

Here’s an update from RedHat concerning the configuration (named.conf) of BIND;

We have updated the Enterprise Linux 5 packages in this advisory. The default and sample caching-nameserver configuration files have been updated so that they do not specify a fixed query-source port. Administrators wishing to take advantage of randomized UDP source ports should check their configuration file to ensure they have not specified fixed query-source ports.

It seems that a check of the configuration file would be in order. Let me throw in a quick warning though if your DNS server is sitting behind a firewall you may need to check with the firewall administrator to understand how the firewall will behave if you randomize your source ports. I believe there are quite a few firewalls out there that only expect to see DNS traffic sourced from a DNS server on UDP/53.

Good Luck!

CentOS v5.2 is available!

2
July 5, 2008
by Michael McNamara in

centos_logo The folks over at CentOS released v5.2 on Tuesday June 24, 2008. I’ve been running six different HP Proliant DL360s over the past 24 months acting as a public WiFi Hotspot portal servers. The solution has been met all my expectations and almost manages itself entirely (I still need to apply patches and security updates).  CentOS 5.2 adds the same functionality that RHEL 5.2 adds including the latest virtualization support. If you’re looking for a Linux distribution for that brand new server hardware and you don’t have the budget to afford RedHat then CentOS is for you. CentOS is essentially a clone of RedHat Enterprise Linux compiled from the RHEL source files provided under GPL licensing terms. If you’re looking for a Linux distribution to run on that brand new laptop/desktop then I don’t think CentOS if for you. I would probably suggest Ubuntu as a solution for any laptop/desktop.

Just visit the current Mirrors list to start downloading today.

Note: Just be warned that if your running CentOS v5.0 or v5.1 you will be upgraded to CentOS v5.2 if you issue a “yum update“. I believe the release notes indicate you need to issue a “yum upgrade” in order to upgrade but that wasn’t my experience.

Cheers!

Go to Top