From: Willy Tarreau <w@1wt.eu>
To: Richard Hartmann <richih.mailinglist@gmail.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: iptables, NAT, DNS & Dan Kaminsky
Date: Thu, 31 Jul 2008 23:14:06 +0200 [thread overview]
Message-ID: <20080731211406.GA19104@1wt.eu> (raw)
In-Reply-To: <2d460de70807310759s2a7d6c4k5ba7e0e6a5bd9cf6@mail.gmail.com>
Hi Richard,
On Thu, Jul 31, 2008 at 04:59:24PM +0200, Richard Hartmann wrote:
> On Wed, Jul 30, 2008 at 21:55, Willy Tarreau <w@1wt.eu> wrote:
>
> > you should re-post your question to relevant lists. I think that
> > the netfilter ML would be more appropriate. The list you posted to
> > is about Linux kernel development, which has nothing to do with
> > how to setup iptables rules, so I don't think you'll find useful
> > answers here, if any.
>
> I also asked said list, but as I am especially concerned about
> what kernels versions act in which way, I thought I would try
> my luck here, as well.
Then you should wait a bit, there may be a lot of people in holidays.
> > And BTW I don't think that many of the people
> > reading LKML care a dime about the "exploit" for poorly configured
> > DNS servers.
>
> It is an exploit that is being abused as we speak and,
That does not mean that abused servers were properly set up.
> unless you
> mean source address filtering or the like, has nothing to do with
> how the servers are configured
Yes it has. I don't want to enter a DNS debate and I'm not even qualified
for that. But I can't find any reason why you would let your servers offer
public resolving service for outsiders. They must resolve hosted zones for
outsiders, hosted+outside zones for insiders and that's all. So that *should*
be either a non-issue, or a valid reason to fix the issue.
Regards,
Willy
next prev parent reply other threads:[~2008-07-31 21:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-30 14:53 iptables, NAT, DNS & Dan Kaminsky Richard Hartmann
2008-07-30 19:55 ` Willy Tarreau
2008-07-31 14:59 ` Richard Hartmann
2008-07-31 21:14 ` Willy Tarreau [this message]
2008-07-31 21:36 ` Ray Lee
2008-08-01 12:30 ` Richard Hartmann
-- strict thread matches above, loose matches on Subject: below --
2008-07-30 14:53 Richard Hartmann
2008-07-30 16:39 ` Thomas Jacob
2008-07-30 17:19 ` Richard Hartmann
2008-07-30 18:17 ` Thomas Jacob
2008-07-31 3:06 ` Michael Rash
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080731211406.GA19104@1wt.eu \
--to=w@1wt.eu \
--cc=linux-kernel@vger.kernel.org \
--cc=richih.mailinglist@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.