if set in resolv.conf to 127.0.0.1 and in named.conf recursion no; it should be fine ? afaik the problem is that querries on > bind8 is answered from the resolver libs and bind9 only answers from cache ?
Disclaimer: I've got all of the following from the DNS mailing list, none of it is my own (except the wording). However, the sources are pretty much experts at DNS (and coding). The problem lies in the resolver libs. That's where it should be fixed. The current BIND resolver lib vulnerability is triggered by perfectly fine DNS datagrams. If an intermediate party between the attacker's DNS server and the target, such as a DNS proxy, reconstructs answers instead of just piping them through unmodified, then the attacker just needs to analyse that party's behaviour and modify his attack payload accordingly. This sounds a little complicated, I'll try to clarify. The attacker knows that payload A will root the target. If the target contacts his DNS server directly, he simply sends it A and is done. If the target accesses the DNS server through a 'constructing' DNS proxy, the attacker needs to find out how the proxy constructs packets, pick a payload B that will root the target (this may be A, but must be different, if the proxy will never construct A) and reverse the construction process to get B'. So the use of a DNS proxy doesn't really solve the problem. Updating the buggy libraries does. Cheers Tobias