[ previous ] [ next ] [ threads ]
 
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Preliminary release 1.3b13-pre (-> DNS insecurity panic)
 Date:  Thu, 10 Jul 2008 03:18:55 -0400
On Wed, Jul 9, 2008 at 5:32 PM, Manuel Kasper <mk at neon1 dot net> wrote:
> Hello,
>
> in light of the recent CERT advisory about more DNS cache poisoning
> vulnerabilities in all DNS server software (discovered by Dan Kaminsky), the
> author of Dnsmasq has released version 2.43rc3 of his DNS forwarder
> software, which is used in m0n0wall (even though at this point he believes
> that Dnsmasq isn't affected, as it doesn't do recursive name resolution).
> This version now includes the recommended query source port randomization.
>
> He'd be grateful if this Dnsmasq version got as much testing as possible, as
> there's some time pressure to release a fixed final version. I have
> therefore (and also because of the "Register DHCP leases in DNS forwarder"
> mishap in 1.3b12) created a preliminary 1.3b13 version for the slightly more
> adventurous among you to test.
>

Haven't messed with the "Register DHCP leases", but the updated
dnsmasq does appear to work properly in both m0n0wall and pfSense from
my testing.

This dnsmasq update is the result of a flurry of emails between
Manuel, Scott Ullrich, the pfSense dev list, Simon Kelley (dnsmasq
author), and me. Thanks much to Simon Kelley for getting an update out
so quickly even though it's apparently not relevant, and to Manuel for
getting an updated m0n0wall release out.

Note everything at this point indicates this isn't relevant to
dnsmasq, as Manuel mentioned. More from me on that here:
http://blog.pfsense.org/?p=210  I don't feel this is a critical update
at this point, but it's good to get it tested and ready for wider
deployment.

-Chris