MoinQ:

DNS/resolver-vulnerabilities/Nginxについて、ここに記述してください。

http://blog.zorinaq.com/nginx-resolver-vulns/

Never configure nginx with the resolver directive pointing to a resolver on the Internet like Google Public DNS, OpenDNS, or your ISP’s resolver.

Many nginx users make this exact mistake.

Even pointing to a resolver on your internal local network may be a bad idea.

Using a resolver on localhost (resolver 127.0.0.1) is the only safe option, and mitigates against all vulnerabilities documented in this post.

[Edit 11 May 2017: Eight months after reporting these vulnerabilities to the nginx developers, they still refuse to fix issues 2, 3, and 6. They did fix issues 1, 4, and 5, but did so without publishing a security advisory.]

1. vulnerability

I discovered that not only nginx’s stub resolver generates non-random or predictable DNS txids, but also each nginx worker process reuses the same UDP source port for every DNS query.

2. nginx site

http://nginx.org/en/security_advisories.html