Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 165323 Details for
Bug 231285
net-dns/pdnsd < 1.2.7 cache-posoning and p_exec_query DoS (CVE-2008-1447,CVE-2008-4194)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
pdnsd.conf
pdnsd.conf (text/plain), 4.30 KB, created by
Friedrich Oslage (RETIRED)
on 2008-09-13 09:51:29 UTC
(
hide
)
Description:
pdnsd.conf
Filename:
MIME Type:
Creator:
Friedrich Oslage (RETIRED)
Created:
2008-09-13 09:51:29 UTC
Size:
4.30 KB
patch
obsolete
>// Sample pdnsd configuration file. Must be customized to obtain a working pdnsd setup! >// Read the pdnsd.conf(5) manpage for an explanation of the options. >// Add or remove '#' in front of options you want to disable or enable, respectively. >// Remove '/*' and '*/' to enable complete sections. > >global { > perm_cache=1024; > cache_dir="/var/cache/pdnsd"; ># pid_file = /var/run/pdnsd.pid; > run_as="pdnsd"; > server_ip = 127.0.0.1; # Use eth0 here if you want to allow other > # machines on your network to query pdnsd. > status_ctl = on; ># paranoid=on; # This option reduces the chance of cache poisoning > # but may make pdnsd less efficient, unfortunately. > query_method=udp_tcp; > min_ttl=15m; # Retain cached entries at least 15 minutes. > max_ttl=1w; # One week. > timeout=10; # Global timeout option (10 seconds). >} > ># The following section is most appropriate if you have a fixed connection to ># the Internet and an ISP which provides good DNS servers. >server { > label= "myisp"; > ip = 10.254.0.1; # Put your ISP's DNS-server address(es) here. ># proxy_only=on; # Do not query any name servers beside your ISP's. > # This may be necessary if you are behind some > # kind of firewall and cannot receive replies > # from outside name servers. > timeout=4; # Server timeout; this may be much shorter > # that the global timeout option. > uptest=if; # Test if the network interface is active. > interface=eth0; # The name of the interface to check. > interval=10m; # Check every 10 minutes. > purge_cache=off; # Keep stale cache entries in case the ISP's > # DNS servers go offline. >} > >/* ># The following section is more appropriate for dial-up connections. ># Read about how to use pdnsd-ctl for dynamic configuration in the documentation. >server { > label= "dialup"; > file = "/etc/ppp/resolv.conf"; # Preferably do not use /etc/resolv.conf > proxy_only=on; > timeout=4; > uptest=if; > interface = ppp0; > interval=10; # Check if the interface every 10 seconds. > purge_cache=off; > preset=off; >} >*/ > >/* ># The servers provided by OpenDNS are fast, but they do not reply with ># NXDOMAIN for non-existant domains, instead they supply you with an ># address of one of their search engines. They also lie about the addresses of ># of the search engines of google, microsoft and yahoo. ># If you do not like this behaviour the "reject" option may be useful. >server { > label = "opendns"; > ip = 208.67.222.222, 208.67.220.220; > reject = 208.69.32.0/24, # You may need to add additional address ranges > 208.69.34.0/24, # here if the addresses of their search engines > 208.67.219.0/24; # change. > reject_policy = fail; # If you do not provide any alternative server > # sections, like the following root-server > # example, "negate" may be more appropriate here. > timeout = 4; > uptest = ping; # Test availability using ICMP echo requests. > ping_timeout = 100; # ping test will time out after 10 seconds. > interval = 15m; # Test every 15 minutes. > preset = off; >} >*/ > >/* ># This section is meant for resolving from root servers. >server { > label = "root-servers"; > root_server = on; > randomize_servers = on; # Give every root server an equal chance > # of being queried. > ip = 198.41.0.4 > , 192.228.79.201 > , 192.33.4.12 > , 128.8.10.90 > , 192.203.230.10 > , 192.5.5.241 > , 192.112.36.4 > , 128.63.2.53 > , 192.36.148.17 > , 192.58.128.30 > , 193.0.14.129 > , 198.32.64.12 > , 202.12.27.33 > ; > timeout = 5; > uptest = query; # Test availability using empty DNS queries. > interval = 30m; # Test every half hour. > ping_timeout = 300; # Test should time out after 30 seconds. > purge_cache = off; > exclude = .localdomain; > policy = included; > preset = off; >} >*/ > >source { > owner=localhost; ># serve_aliases=on; > file="/etc/hosts"; >} > >/* >include {file="/etc/pdnsd.include";} # Read additional definitions from /etc/pdnsd.include. >*/ > >rr { > name=localhost; > reverse=on; > a=127.0.0.1; > owner=localhost; > soa=localhost,root.localhost,42,86400,900,86400,86400; >} > >/* >neg { > name=doubleclick.net; > types=domain; # This will also block xxx.doubleclick.net, etc. >} >*/ > >/* >neg { > name=bad.server.com; # Badly behaved server you don't want to connect to. > types=A,AAAA; >} >*/
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=165323">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 231285
: 165323
