Date:  Tue, 04 Nov 2008 09:38:09 -0500
From:  Brian Rahill <brian (at mark) rainstormconsulting.com>
Subject:  [coba-e:14264] Re: Cache snooping attacks, bind
To:  coba-e (at mark) bluequartz.org
Message-Id:  <49105E51.4060007 (at mark) rainstormconsulting.com>
In-Reply-To:  <491029C1.30503 (at mark) dogsbody.org>
References:  <490F2542.3040509 (at mark) rainstormconsulting.com> <491029C1.30503 (at mark) dogsbody.org>
X-Mail-Count: 14264


>> We are running BIND 9.2.4 and as far as I can tell, there is no 
>> reasonable workaround to prevent this unless it's upgraded to BIND 
>> 9.4.1-P1.
>
> If my memory works correctly! (and that is questionable) then I think 
> this issue was patched by the upstream provider [1].  The patch would 
> have fixed the issue without changing the version numbers.
Yes, it's a small issue but one that the PCI auditing vendors count 
against us. I don't believe that it has been patched by yum as I can 
verify that the issue exists on our servers (we are fully updated 
through yum).
The only reasonable fix is to set the "allow-query-cache" option in 
/etc/named.conf. However the version of BIND we are running doesn't 
support this. When restarting, I get:

Error in named configuration:
/etc/named.conf:14: unknown option 'allow-query-cache'

Does anyone have other ideas?

Thanks,

Brian