Mikio Kishi wrote:
Hi, Amos
Workarounds:
Using all of the following steps are required to protect a
vulnerable Squid from this and other forms of DNS attack.
* Ensuring the ignore_unknown_nameservers is turned on.
* Ensuring that DNS packets cannot be sent to Squid from
untrusted nameservers or other machines.
The most secure implementation of these requirements is to use
a nameserver running on the localhost IP dedicated for secure use
by Squid and any other services on the Squid machine.
I'd like to make sure above. "The most secure implementation" mean that
- The ignore_unknown_nameservers is turned on (default)
- The /etc/resolv.conf on squid server is following
nameserver 127.0.0.1
- The localhost nameserver on squid server is just only cache
server which is like BIND.
Is is correct ?
Sincerely,
--
Mikio Kishi
Yes.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23
Current Beta Squid 3.1.0.16
