[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 To:  macgyver at calibre dash solutions dot co dot uk
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DNS Vulnerbility...
 Date:  Fri, 25 Jul 2008 10:47:58 -0400
On Fri, Jul 25, 2008 at 5:41 AM, Angus MacGyver
<macgyver at calibre dash solutions dot co dot uk> wrote:
> Great  - thanks for the update.
> Will both DnsMasq and the ipfilter fixes be ported back to 1.2.x series ?
> (site says not to use 1.3beta for production - hence the question)

I use 1.3 in production, I would say it's safe for production use. A
lot of folks do, as it's the only release compatible with ALIX

> Now the only other question remains - would it be worthwhile to set
> internal DNS servers to use m0n0wall's Dnsmasq as a forwarder to get
> around this temporarily ?
> I guess that might save a lot of sysadmin's work re-jigging a network with
> DHCP scopes for clients etc - or even having to "trust" 3rd party DNS
> servers.

That's an option, if the servers that m0n0wall uses are patched.
Another alternative is to use OpenDNS either directly on the internal
servers for recursion, or on m0n0wall by entering and in the DNS server boxes on the General page. If you use
OpenDNS directly on your internal servers you're going to lose your
source port entropy on queries to OpenDNS, but with this specific
issue that isn't directly relevant as you're only susceptible to
issues on the recursive query side, which OpenDNS never had an issue
with even before this came out. It would be better to use m0n0wall's
forwarder, with it using a patched external DNS server.