Mikio Kishi wrote:
> Hi, Amos
>
>> Workarounds:
>>
>> Using all of the following steps are required to protect a
>> vulnerable Squid from this and other forms of DNS attack.
>>
>> * Ensuring the ignore_unknown_nameservers is turned on.
>>
>> * Ensuring that DNS packets cannot be sent to Squid from
>> untrusted nameservers or other machines.
>>
>> The most secure implementation of these requirements is to use
>> a nameserver running on the localhost IP dedicated for secure use
>> by Squid and any other services on the Squid machine.
>
> I'd like to make sure above. "The most secure implementation" mean that
>
> - The ignore_unknown_nameservers is turned on (default)
>
> - The /etc/resolv.conf on squid server is following
> nameserver 127.0.0.1
>
> - The localhost nameserver on squid server is just only cache
> server which is like BIND.
>
> Is is correct ?
>
> Sincerely,
>
> --
> Mikio Kishi
>
Yes.
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23 Current Beta Squid 3.1.0.16Received on Wed Feb 03 2010 - 09:42:02 MST
This archive was generated by hypermail 2.2.0 : Wed Feb 03 2010 - 12:00:02 MST