Multiple DNS implementations vulnerable to cache poisoning

denisp_ironport · ‎07-24-2008

Guys , just checking on IronPort they do have DNS cache did they patch these and what release addressing the patch :

http://www.kb.cert.org/vuls/id/800113

rvdwesten_ironport · ‎07-24-2008

Check this:
https://www.ironportnation.com/forums/viewtopic.php?t=948

Doc_ironport · ‎07-26-2008

As the advisory says, IronPort is not vulnerable to this problem.

However if you are using an upstream DNS server (rather than using the "root servers") and that upstream server (or it's upstream, etc) is vulnerable to this problem then it's still possible for your IronPort receive invalid data.

So please, if you're using an upstream DNS server please check with your ISP or whoever provides it to make sure that they are taking the relevant precautions to make sure they are not are vulnerable to this problem.

You can do a basic test to check if your upstream servers are vulnerable by running the following from your IronPort :
myironport> nslookup porttest.dns-oarc.net txt

TXT="63.251.57.82 is GOOD: 26 queries in 155.3 seconds from 26 ports with std dev 14911.47"
TTL=30m

If you get a POOR or FAIR then it means you've got a problem. If you get a GOOD it means that the last DNS server in the chain is OK, but any in the middle could still be vulnerable.