> We were recently audited as part of PCI compliance by an external vendor
> and were notified that our DNS server is vulnerable to cache snooping
> attacks.
It's not exactly a huge gaping hole is it! :-p
> We are running BIND 9.2.4 and as far as I can tell, there is no
> reasonable workaround to prevent this unless it's upgraded to BIND
> 9.4.1-P1.
If my memory works correctly! (and that is questionable) then I think
this issue was patched by the upstream provider [1]. The patch would
have fixed the issue without changing the version numbers.
This is why I have a big issue with auditors that just use version
numbers! Ask them to backup the money they must be charging by
proving the vulnerability :-p
Dan
[1] Redhat came out with a patch that CentOS then compiled and yum updated