LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

BIND 9 denial of service being actively exploited

[Posted July 29, 2009 by jake]

Internet Systems Consortium, the developers of the BIND DNS server, is reporting a denial of service vulnerability that is being actively exploited. "Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert. [...] This vulnerability affects all servers that are masters for one or more zones – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround." ISC is urgently suggesting that everyone upgrade BIND to 9.4.3-P3, 9.5.1-P3, or 9.6.1-P1.
(Log in to post comments)

BIND 9 denial of service being actively exploited

Posted Jul 29, 2009 14:18 UTC (Wed) by jwb (guest, #15467) [Link]

Thankfully Debian 9.3.4-2etch5 contains the fix also. I was momentarily afraid that I would need to upgrade to a new point release.

BIND 9 denial of service being actively exploited

Posted Jul 29, 2009 16:30 UTC (Wed) by thyrsus (subscriber, #21004) [Link]

If there is a better place to discuss this, please post a link.

I *think* I'm not vulnerable, since the only zones for which my (mostly caching) servers are masters are for a physical access controlled network with private addresses (in addition to the usual localhost and 127/8), behind a couple firewalls that shouldn't let unsolicited requests in.

Given those circumstances, I think I can wait for Red Hat to publish an errata instead of spending time to build my own. What do folks think?

If someone knows of a packet filter that can specifically drop such mischievous packets, that would be useful too.

BIND 9 denial of service being actively exploited

Posted Jul 29, 2009 19:12 UTC (Wed) by ESRI (guest, #52806) [Link]

FYI, Red Hat has published their errata.

Any guesses on when Sun will get theirs out? *grumble*

BIND 9 denial of service being actively exploited

Posted Jul 29, 2009 22:32 UTC (Wed) by jond (subscriber, #37669) [Link]

I believe you are still vulnerable. The wording of the Debian security advisory included:

"This vulnerability affects all BIND servers which serve at least one DNS zone authoritatively, as a master, even if dynamic updates are not enabled. The default Debian configuration for resolvers includes several authoritative zones, too, so resolvers are also affected by this issue unless these zones have been removed."

the authoritative zones in the Debian package include the localhost zone and some broadcast ones (255,0).

BIND 9 denial of service being actively exploited

Posted Jul 29, 2009 18:24 UTC (Wed) by jengelh (subscriber, #33263) [Link]

Can the assert still be triggered when DDNS is turned off, i.e. there are no allow-update{} blocks?

BIND 9 denial of service being actively exploited

Posted Jul 29, 2009 18:32 UTC (Wed) by jeleinweber (subscriber, #8326) [Link]

Yes, you are *still* vulnerable even if you have dynamic update turned off and an ACL denying the client IP address. Ick!

BIND 9 denial of service being actively exploited

Posted Jul 29, 2009 19:29 UTC (Wed) by einstein (subscriber, #2052) [Link]

Ah, so that's why my ubuntu boxes got a bind update this morning...

Why BIND?

Posted Jul 30, 2009 17:26 UTC (Thu) by erwbgy (subscriber, #4104) [Link]

Why do people still insist on running BIND as a DNS server? It has an awful security track record and all its features are now available other DNS servers. Personally I run djbdns but there are numerous others. Is it just inertia?

Why BIND?

Posted Aug 3, 2009 1:46 UTC (Mon) by rfunk (subscriber, #4054) [Link]

BIND is the standard DNS server. In most places you need to give a reason
NOT to use it, rather than a reason TO use it.

BIND 9 was a total rewrite, intended to wipe clean the bad history.

As the standard DNS server, it must do everything. DJB is free to ignore
the parts of the standards that he doesn't like, but the BIND people do
not have that luxury.

All that said, I tend to avoid BIND as well, preferring maradns, pdnsd,
and others. (I'm not a DJBware fan.)

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds