[deployment-guide/comm-rel: 148/727] Corrections in the 8.6 section.
Jaromir Hradilek
jhradile at fedoraproject.org
Tue Oct 19 12:36:43 UTC 2010
commit bb9e621a55f6791a087f809772343458b43efa64
Author: Adam Tkac <atkac at redhat.com>
Date: Mon Jul 12 14:08:57 2010 +0200
Corrections in the 8.6 section.
en-US/The_BIND_DNS_Server.xml | 7 ++-----
1 files changed, 2 insertions(+), 5 deletions(-)
---
diff --git a/en-US/The_BIND_DNS_Server.xml b/en-US/The_BIND_DNS_Server.xml
index b45aff8..fad6067 100644
--- a/en-US/The_BIND_DNS_Server.xml
+++ b/en-US/The_BIND_DNS_Server.xml
@@ -1825,11 +1825,8 @@ zone "1.0.10.in-addr.arpa" IN {
<warning
id="warning-Warning-Avoid_Using_Fixed_UDP_Source_Ports">
<title>Warning: Avoid Using Fixed UDP Source Ports</title>
- <para>Recent research in DNS security has shown that using a fixed UDP source port for DNS queries is a potential security vulnerability that could allow an attacker to more easily conduct cache-poisoning attacks. Due to this security threat, Red Hat issued a security update<footnote><para>The security update was <ulink
- url="https://rhn.redhat.com/errata/RHSA-2008-0533.html">RHSA-2008:0533</ulink>.</para>
- </footnote> for all versions of Red Hat Enterprise Linux which updated the default sample caching-nameserver configuration files so that they do not specify a fixed query-source port, thus causing the BIND nameserver to use a new, randomly-selected source port for each DNS query by default. This method had previously only been used during <application>named</application> service startup.</para>
- <para>DNS resolving is at risk whenever <application>named</application> is configured to use a static UDP source port. To avoid this risk, we recommend configuring your firewall to allow queries from a random UDP source port.</para>
- <para>BIND administrators with existing configurations who wish to take advantage of randomized UDP source ports should check their configuration files to ensure that they have not specified fixed query-source ports.</para>
+ <para>Recent research in DNS security has shown that using a fixed UDP source port for DNS queries is a potential security vulnerability that could allow an attacker to more easily conduct cache-poisoning attacks</para>
+ <para>DNS resolving is at risk whenever <application>named</application> is configured to use a static UDP source port. To avoid this risk, configure your firewall to allow queries from a random UDP source port.</para>
</warning>
<!--<para>By default, BIND version 9 uses random ports above 1024 to query other nameservers. Some firewalls, however, expect all nameservers to communicate using only port 53. To force <command
moreinfo="none">named</command> to use port 53, add the following
More information about the docs-commits
mailing list