https://kb.isc.org/article/AA-01272 The most recent BIND vulnerability, CVE-2015-5477, is particularly bad, affecting just about every BIND nameserver, regardless of the role it serves, and with no possible configuration workaround. To make it worse, a simple exploit has been published. I saw someone in IRC who claimed to have an iptables rule which protects against this bug. Unfortunately the rule was not shared, and I am doubtful that it will work. Now it would be easily testable, at least using the published exploit. Does anyone have a rule to share which you believe should protect against this bug & exploit? Does it also block legitimate TSIG- signed queries, or have other side effects? Thanks. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
