Debian: New pdns-recursor packages fix cache poisoning vulnerability
LinuxSecurity.com: Amit Klein discovered that pdns-recursor, a caching DNS resolver, uses a weak random number generator to create DNS transaction IDs and UDP source port numbers. As a result, cache poisoning attacks were simplified.
lwresd(1M)lwresd(1M)NAME
lwresd - lightweight resolver daemon
SYNOPSIS
config-file] debuglevel] pid-file] ncpus] query-port] port] directory] user-id]
DESCRIPTION
The daemon provides name lookup services for clients that use the BIND 9 lightweight resolver library. It is essentially a stripped-down,
caching-only name server that answers queries using the BIND 9 lightweight resolver protocol rather than the DNS protocol.
listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1. This means that can only be used by processes run-
ning on the local machine. By default, UDP port number 921 is used for lightweight resolver requests and responses.
Incoming lightweight resolver requests are decoded by which then resolves them using the DNS protocol. When the DNS lookup completes,
encodes the answers from the name servers in the lightweight resolver format and returns them to the client that made the original request.
If the configuration file contains any entries, sends recursive DNS queries to those servers. This is similar to the use of forwarders in
a caching name server. If no entries are present, or if forwarding fails, resolves the queries autonomously starting at the root name
servers, using a compiled-in list of root-server hints.
Options
Use config-file as the configuration file. The default is
Set the debug level to
debuglevel. Debugging traces from become more verbose as the debug level increases.
Run in the foreground.
Run in the foreground and force all logging to standard error.
Write the daemon's process ID to
pid-file. The default is
Create ncpus worker threads to take advantage of multiple CPUs. By default, tries to determine the number of CPUs present and creates
one thread per CPU. If it cannot determine the number of CPUs, it creates a single worker thread.
Send DNS lookups to port number
query-port when querying name servers. This provides a way of testing the lightweight resolver daemon with a name server that
listens for queries on a nonstandard port number.
Listen for lightweight resolver queries on the
loopback interface using UDP port number port. The default is port 921.
Write memory usage statistics to standard output on exit.
This option is only of interest to BIND 9 developers and may be removed or changed in a future release.
Change root to
directory immediately after reading the configuration file (see chroot(2)).
Run as user-id, which is a user name or numeric ID that must be present in the password file. changes its user-id after it has carried
out any privileged operations, such as writing the process-ID file or binding a socket to a privileged port (typically any port
less than 1024).
Note
is a daemon for lightweight resolvers, not a lightweight daemon for resolvers.
AUTHOR
was developed by the Internet Systems Consortium (ISC).
FILES
Default resolver configuration file
Default process-id file
SEE ALSO named(1M), chroot(2).
available online at
available from the Internet Systems Consortium at
BIND 9.3 lwresd(1M)