GNU adns 1.4 and earlier uses a fixed source port and sequential transaction IDs for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447. NOTE: the vendor reports that this is intended behavior and is compatible with the product's intended role in a trusted environment. Reference: URL:http://www.milw0rm.com/exploits/6197 Reference: URL:http://www.openwall.com/lists/oss-security/2008/09/11/1 Reference: URL:http://www.openwall.com/lists/oss-security/2008/09/16/4 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492698
The upstream INSTALL document states: SECURITY AND PERFORMANCE - AN IMPORTANT NOTE adns is not a `full-service resolver': it does no caching of responses at all, and has no defence against bad nameservers or fake packets which appear to come from your real nameservers. It relies on the full-service resolvers listed in resolv.conf to handle these tasks. For secure and reasonable operation you MUST run a full-service nameserver on the same system as your adns applications, or on the same local, fully trusted network. You MUST only list such nameservers in the adns configuration (eg resolv.conf). You MUST use a firewall or other means to block packets which appear to come from these nameservers, but which were actually sent by other, untrusted, entities. Furthermore, adns is not DNSSEC-aware in this version; it doesn't understand even how to ask a DNSSEC-aware nameserver to perform the DNSSEC cryptographic signature checking. Therefore this is intended behaviour and not a security issue in and of itself.