Slashdot Mirror
Running BIND 4 or 8? Upgrade!
The Dev
was the first of several zillion to point out that security holes were found
in BIND. The
detailed table
of known vulnerabilities will help clarify (and it has tarball links too), but the short version is, if you're running BIND 4 or BIND 8, set aside some time today to upgrade to 4.9.8 or 8.2.3 (not beta, betas of 8.2.3 are vulnerable). And now's a good time to reconsider version 9, too.
SecurityFocus warns
that the last time a BIND hole of this magnitude was found, it was followed by a "cyber-crime wave." Exploits for these holes were successfully created by
COVERT Labs,
but nobody seems to know whether they're in the wild yet. Obviously, they soon will be. Post your questions and answers about upgrading below.
You want bind-8.2.3-0.6.x.i386.rpm
bind-devel-8.2.3-0.6.x.i386.rpm and
bind-utils-8.2.3-0.6.x.i386.rpm
Yes, it works. I moved all of the sites I maintain to djbdns during the the last round of BIND vunerabilities. IMHO, use djbdns and junk BIND, and while you're at it, use Qmail and junk Sendmail
So how come there's a patch on the OpenBSD
website? And it's a big patch. And no
comment on the website.
Applying it to my heavily loaded production
2.6 is promising to be a bitch, because the
patches given are for later versions.
so what is bind, and what's it used for?
please don't dismiss this cos i'm an AC. thanks
#%patch3 -p1 -b .glibc21 .host .mx .ttl .restart
Then, build the thing with "rpm -bb bind.spec". After that went through, you will find the binary RPM in#%patch4 -p1 -b
#%patch5 -p1 -b
#%patch6 -p1 -b
#%patch7 -p1 -b
Say, what license was that again? Are you *sure* you're allowed to use it?
-Dom
Except that most of us who take running a network fairly seriously knew about it on 1/26 and upgraded immediately. 16 total servers. If we can manage that, most of the guys with 1 and 2 servers can patch theirs.
- Why is the ninja... so deadly?
Well, OpenBSD isn't for everyone (or even every one of "us") and doesn't try to be (at least not as hard as Linux, for instance).
--
Fuck the system? Nah, you might catch something.
Which raises the question: Why aren't we all using OpenBSD's version of bind, just like we're all using OpenBSD's version of SSH?
--
Fuck the system? Nah, you might catch something.
how is it possible to break out of chroot?
Also, why does bind run as root? I think it would be appropriate for it to switch to an unpriviledged user after binding port 53, the way apache does. Or even bind it to a different port and use the firewall to redirect port 53 to it -- then you don't need root at all. Ideas, anyone?
___
___
If you think big enough, you'll never have to do it.
What, you don't think black hats read bugtraq? Maybe you think they make you show your white hat membership card before you can join the mailing list. Heh.
/. earlier than this appeared, which leaves the editors as the bottleneck.
/. posting is a good way to get the awareness out.
/., but next time a little quicker, eh?
/. is actually very late in reporting this, and I'm a bit dissapointed. The Reg had it hours ago, and of course that came hours after it was on Bugtraq. Still, I'd think that someone must have noticed and submitted to
What you seem to not get is that everyone for whom this kind of thing is important already read about it on bugtraq/securityfocus and upgraded. All the kiddies are already spreading whatever software someone wrote for them. Now it's time for the rest of us to learn about this and upgrade, and a
Good
The enemies of Democracy are
If djbdns was used on every server instead of BIND, there'd probably be problems found with it too.
No doubt. There are always problems with software, and it takes effort to find them. But the poster would have us believe that no bugtraq listings == no bugs. Riiight. Sorry, but my drivers license doesn't list my date of birth as yesterday.
The enemies of Democracy are
Perfect time for ... Slack! Dump those inferior and untrusted distro's.
-- Ted tsikora@powerusersbbs.com
-- I doubt, therefore I might be.
These last two weeks have been hell as far as stuff being messed up with DNS. I know I'm not the only one who has seen this problem.
Pman - playa@linuxpimps.com
DNS is available on both UDP and TCP. How do you think you get responses too large to fit in a UDP packet?
Real men dont use porn...real men get the REAL thing. hehe
.. with fresh, new and exciting bugs for us to enjoy for many years to come! :)
--
Delphis
this exploit breaks out of a chroot jail, just like most of the older ones.
.. if the process doesn't have permissions to modify *any* files (just read its configuration and data files) then there is much less chance of anything actually HAPPENING on the server IF that process is broken into by a remote exploit.
Who cares what the root directory is?
--
Delphis
All the more reason to run your named as a nobody 'named' user without permissions to DO anything on the host machine.
--
Delphis
Let see this page sets the limit for distribution, and this page has a discussion on Bernstein's thoughts on licenses.
Or if you are to lazy to go to the link of the last one, let me quote:
What does all this mean for the free software world? Once you've legally downloaded a program, you can compile it. You can run it. You can modify it. You can distribute your patches for other people to use. If you think you need a license from the copyright holder, you've been bamboozled by Microsoft. As long as you're not distributing the software, you have nothing to worry about.
Wanna try again?
Je ne parle pas francais.
Following the same analogy, if Linux was run on all the servers that WindowsNT does, it would have problems too?
Does it mean that because OpenBSD is used less than Linux/Windows/whathaveyou, that is probably as bad as the more used?
djbdns was designed with security in mind, BIND was not, and neither is the new version (by the authors own admission). djbdns uses the KISS principle. BIND does not.
The author of djbdns has a reward out for his software. He is *that* confident in his work. Would you bet money on BIND?
Je ne parle pas francais.
All software has bugs. OK. BIND has a trackrecord of having security related bugs.
Maybe we should be more forgiving to Microsoft security issues then?
Je ne parle pas francais.
Oh, did you read the quote I wrote?
You can change qmail or any application Bernstein writes to your heart's delight. Just don't distribute it and claim it is the original.
Je ne parle pas francais.
I guarantee you that Akamai will patch far faster than microsoft did their own DNS servers.
I said no... but I missed and it came out yes.
Like Windows? Even microsoft is now using Linux based DNS servers (Akamai).
Enjoy
Panaflex
I said no... but I missed and it came out yes.
Sorry to be in bad form.. Here's some anti-troll for you.
>nslookup www.microsoft.com
Server: trusty
Address: 172.16.20.16
Non-authoritative answer:
Name: www.microsoft.akadns.net
Addresses: 207.46.230.219, 207.46.230.229, 207.46.230.218
Aliases: www.microsoft.com
I said no... but I missed and it came out yes.
My opinion on it? Quit telneting into it and and install the dang free SSHD from the link that I mentioned above already!! :P Then go grab PuTTY (a Win32 ssh client, but great for all kinds of terms) if you're going to be connecting to it from another Win32 box.
As far as stopping and starting services from the command line, use "net (start | stop) servicename ". For example, now that you've installed SSHD (you did install SSHD, right? ;) ), you can stop the telnet service, which is named "TlntSvr" by typing "net stop TlntSvr".
To start it back up:net start TlntSvr
To list all running services:net start
One other thing, is that the services have both a short name and a long name (at least it seems like they all do). You can use either in the net start/stop command, but if the name of the service contains a space, you need to put quotes around the service name, like: net start "Perl Socket Service"
BTW, a good place to ask questions like yours is the newsgroup news://msnews.microsoft.com/microsoft.public.win20 00.cmdprompt.admin
Cheers,
Just a few points: the Win2K command prompt does give you a lot of remote control options. Hell, just use PerlScript, JScript, etc. if you want or need to. I'm trying to be informative here, not to flame you, but I have the feeling that you're compaining about the command prompt because you're not very knowledgeable about it — for example, if you were familiar with it, you surely would've known that you could use tlntadmn.exe to change the logon verification options for the telnet server. NTLM is a better way to connect, because it's not sending your password across the network in cleartext (well, it's not even sending it encrypted, either). But if you really wanted to turn it off, to work with clients that can't do NTLM, tlntadmn.exe lets you do it. Also, why are you using telnet instead of SSH anyway? Death wish?
Cheers,
My logs are filled with attempts to port 53. All of them appear to originate from spoofed ip addresses. Some script kiddies out there trying to do some damage.
MS's DNS service is actually just an enhanced Bind + GUI management. It *IS* vulenerable to the TSIG bug
To make things worse :
The DNS in WindowsNT is based on BIND 4.*.
And the DNS of Windows2000 is based on bind 8.1.*.
And M$ still haven't put out a security bulletin about the issue.
So, with any luck in about 2 months M$ will issue a warning on this problem.
Is that like the uni-directional bonding strip? ("Mr. Lightyear wants more tape!")
has anyone else noted that the size of the named binary for BIND 8 is rather large?
-rwxr-xr-x 2 root other 11391688 Jan 30 09:50 named*
I suppose just stripping it may help... (This is on Solaris 8)
Any recommendations on making the changes between BIND 8 and 9 quick and painless?
If I was that drunk, I would have remembered it -- H. Simpson
Most security leaks are a direct consequence of using languages like C. People claim it is possible to program safely in C, however, incidents like this prove them wrong.
Jilles
If OpenBSD maintainers found it that long ago, did they report it to the Bind authors ?
If they did, why wasn't it fixed before ?
And why did Bugtraq only just hear of it ?
What about running djbdns in supervised mode?
Do your best, hope for the best, suspect the worst.
You also need to put "$TTL 86400" or similar at the top of your zone files, if you don't have it yet.
The conversation between you two was fascinating, and you don't see much of that sort of thing around here anymore. It's nice to see a good news story will still bring out the nerds, was it were.
-jpowers
-jpowers
What need is there to add on to qmail? There hasn't be an expolit (not including lame DoS) since Bernstein wrote it way back in '97. Alsoif you need a feature, do it the unix way and add it on. The code base has everything needed for basic MTU. The idea behind qmail is for the sysadmins to add on what they wish to have.
MarNuke
The Inquisitor with an English accent may have some questions for you ;-)
Maintain a questioning attitude
I believe Juanita
it's nice to check and make sure your not running services-even by accident. espically if your not a 1337 HaX0r. it would suck if you accidently started bind and greped through your ps for bind to make sure it wasnt running only to be hacked later because you didnt know the the process was running as named.
use LaTeX? want an online reference manager that
-- john
It is possible to write errorfree code! But you need to be systematic about it, and you probably want to use a language that aids you in that. I hear a lot of people say: "I like C, since I can have the freedom to do [some way of shooting yourself in the foot]!". Well, go ahead and realize what you will be fixing for the next 30 years! Most bugs in software could have been avoided, since the the pitholes have been described for the last 20 years.
Yuck! even the so-called "progressive" part of the (non-academical) IT-world is buying the Microsoft view of "fixing the holes as we find them". Good it isn't aviational systems you build.
:-) = I am happy
:^) = I am happy with my big nose
C:\> = I am happy with my OS
Not like high school programming courses matter anyway... Maybe it would get you exempted from something in college, but in any case people going into the field learn it one way or another, most likely in college, where, in general, they actually hire appropriate people for the job..
XML is like violence. If it doesn't solve the problem, use more.
> but nobody seems to know whether they're in the
> wild yet.
As h2odragon pointed out below, it seems to be in the wild. In fact I noticed a large increase in attempts on port 53 over the weekend myself.
--
Jim Buchanan
Jim Buchanan
8.2.2 conf files even. Of course I did not get much sleep because of said late night work.
---The proceeding comments were not paid for by the following advertisers.
Well I spent 3.5 hours last night upgrading all of our servers to 8.2.3
To ease anyone's fears, 8.2.3 works just fine with existing 8.2.3 conf files, so all you need to do is make the tarball and stop/start named.
---The proceeding comments were not paid for by the following advertisers.
Now it would be cool to have super human vision, but I definitly would not say the same about this story.
BIND vulnerabilities are *NOT* cool.
Except "real languages" suck when it comes to speed.
windows dnds server uses bind code.
It has been statistically shown that helmets increase the risk of head injury.
- My main point is that you can't rely on other people to know what needs checking: empirically, they don't.
- A language which does bounds checks doesn't have to check every access: it's often possible to prove things about the code and move checks out of loops, and so on. It's also possible for the compiler to warn you when it can't do this, so you can make declarations which enable it to prove more things. This is not new technology!
It is, I suspect, hard to do this in a language which offers bounds checking as a bolt-on extra, like C++ (by overloading [] for instance): you need the compiler to really know about it.
- Serious implementations of languages that offer bounds checking should offer ways of saying that it's just safe to assume everything is OK in a bit of code, and so compile code which has no checks. You need this in a per-block basis, not per file, so you can bum only the places where you know the time is being spent.
- Bounds checks are not that expensive in any case -- the compiler should be able to get the index and the bound into a register at the start of any loop, and do a register comparison, which is seriously cheap compared to touching memory (which you're about to do when you access the array...). Again, having the compiler know about the checking is a win here.
- Not that much code is speed-critical in ways that bounds-checking will hurt -- for instance I doubt that many instances of BIND would be constrained by bounds-checking overhead! Some code obviously is, and I'm not suggesting that there should not be ways of making this stuff not need to check. Importantly, a performance profiler can find these parts of the code for you pretty reliably.
In summary, what I'm trying to say is that, purely empirically, most people do *not* know where the problems are in their code (any more than they know where the performance bottlenecks are without profiling), and that therefore I'd like to see people write using languages which were safe-by-default with compilers that can optimise away checks, and the option of turning off safety for performance-critical parts of the code. Working this way means that you can use a well-defined performance profiler to tell you where you might need to *not* bounds check, rather than some typically poorly-defined test-suite which might find the places where you do need to check.Of course, I don't see much chance of this happening because worse is better, but I can dream.
I kind of hope that most of the libraries are, mostly, in Java: it's a whole lot more convincing if the language can eat its own dogfood, especially since the language is meant to be trusted to run random code downloaded from the net, which could be specially devised to exploit weaknesses in the libraries. But the VM probably can't be, and some core of the libraries is likely not to be (though this core could be OS system calls). So there is probably going to be some significant amount of C/C++ in a Java system, unlike a native-code system.
But this is a constant core of code, which *all* Java programs share. So you only have to check it once, and once you're sure it's safe, it's safe for all Java programs. This is completely different than a program which is itself implemented in a non-bounds-checked language: every program now has to be checked for overflow problems. This means you have constant work to do (check the libs and the VM) rather than work proportional to the number of programs you might want to run.
There, this is really my last comment on this!
Seriously: there must be so much evidence by now that it is just too hard for human beings to do all the bounds checking by hand that I'm fairly surprised that security critical code is still written in C.
I've never looked at any of the securified versions of things like BIND, but I suspect they do it by inventing a bounds-checked framework in which they then write the code...
he's not talking about the fragin java compiler but the runtime and that is most definately written in C/C++.
--
You can be an atheist and still not want to succumb to some weird cross-over sheep disease -- AC
It doesn't matter how large or complex the code is nor how elegant and securely it's written if the underlying architecture & methodology principles suck.
Bugs can be fixed and holes patched but if the very process the code uses to do its thing is flawed then there will always be ways to exploit that process in some capacity.
One poster asked how it was possible to still be finding holes in BIND after all these years when so many eyes have gone through the source code... maybe we should take a pointer from the *BSD camp; they fix how the code functions and then they evaluate why the code does something in that manner so design flaws can be addressed.
BIND 9.x is on the right track. They've completely rewritten nearly all aspects of the underlying architecture to address the design problems inherent in BIND 4 & 8.
Do not taunt Happy-Fun Ball
Before djbdns I used Bind. What a piece of garbage. It's slow and bloated. Writing scripts to deal with its data files is a nightmare. And the code is so piss-poor people can't help but find security holes. This is not the first hole in bind and it certainly won't be the last.
... using djbdns which apparently is much more lightweight and can handle a lot more load?
http://cr.yp.to/djbdns.html
Just a suggestion/question. Does anybody have experience with this one?
Absolutely agree. It's insane that safer languages aren't used for a majority of OS level tools. Security is certainly being sacrificed to the altar of performance (even if the performance in practise would be acceptable).
Anyone who believes that better programming practises can address this sufficiently is sticking his head in the sand.
The depressingly long series of Linux patches (which by the way is impossible for a non-sysadmin to keep up with, rendering Linux an effecively insecure OS) is empirical proof of this.
I see someone else has been watching the widescreen version of B5. Too much Vorlon on the brain. :)
> People claim it is possible to program safely in C, however, incidents like this prove them wrong.
Granted, C makes it harder, but it is not impossible to write good code in C.
C++ makes it much easier, with classes, and code re-use.
--
djbdns (http://cr.yp.to/djbdns.html) works very well and has no known security holes. It's also a lot more flexible and in some situations much less resource intensive than BIND.
SSHd is available for W2K. See http://www.ssh.com/.
- mipe -
Cut the crap, one of the most important tools on the internet broke down because of a memory leak.
Incorrect. It was a potential buffer over-run exploit and not a memory leak. A memory leak is when memory is reserved by a program, and then the program forgets to release it. eg a function uses malloc() to reserve an area of memory for some temporary string manipulation and then forgets to free() that memory area before the function ends. If this function is called repeatedly then the program starts to soak up more and more memory until it (or in some primitive operating systems the OS itself) falls over. There are tools available to detect memory leaks in C programs such as Purity. Some languages deal with freeing up memory automatically, such as Java, using garbage collection.
A buffer over-run is where an area of memory is allocated and data is written to that area with no safeguards to ensure that the size of the data written is not greater than the size of the reserved memory area itself. This usually happens in cases where the data entered is not under the control of the software author, eg user-entered data. Once the data starts writing past the area reserved, it starts scribbling over areas reserved for other programs and for the OS itself.
Of course it is possible to create good programs if you don't make any errors, duh. The problem is that humans do make errors. And since C provides little or no protection against these errors it is unsafe.
The checks are either made by humans, or an automated tool that simulates the checks that human would have made. This applies as much to any 'safe' language as to C and associated software tools. If a programmer wishes to use C then they will have to learn to sanitise and bound user data. To cut down a sapling it doesn't matter which end you pick up a saw with. Those that cut down large trees quickly learn the business end of a running chainsaw.
As long as we will use C for implementing these kind of things, there will be memory leaks. Of course C is a very performance efficient language, however, things like this make it unsuitable for security critical apps because you can never be 100% sure it doesn't have memory leaks.
Substituting memory leaks for buffer over-runs, as explained above, it is simply a case of those writing security critical apps needing a little more dicipline and a lot more help auditing. Buffer over-runs are one of many things to watch for. There are many surprises that users can catch you with. In the trade-off between security, performance, available libraries, pervasiveness (you won't get code review if no-one understands the language) and flexibility, can you suggest another language that scores higher than C for such a low-level application?
Phillip.
Property for sale in Nice, France
My guess is that this is because programming has moved from enthusiasts becoming programmers as a natural progression to an influx of new converts who have heard that "computer are where the money is, innit". Hopefully the dot-com shakeout will have shed a few jobsworths?
Start writing critical software in languages which check array bounds both at compile time where possible -- which can eliminate runtime overhead -- and at runtime where needed, and handle out-of-bounds accesses gracefully.
How about:
It is valuable to discuss moving to a new language, and the pros and cons of the various target languages, but surely there is something we can do to improve the immediate extensive base of C code?
Phillip.
Property for sale in Nice, France
Let's suppose your fairy godmother appears and offers to use her magic to make your system safe and secure.
:-) I have worked through OS development, to applications, to pure web (see my CV).
As part of the way the magic works, in order to remove all buffer overflows and memory leaks and the like, it will cause all your programs to use twice as much cpu horsepower.
Would you take her up on the offer? Is it worth sacrificing some horsepower for security and safety?
I would take her up on it as soon as I had independant evidence it was true, I wouldn't take her word for it. As the efficiency and scalability improves we will see more and more shifting over but it will be tiered. First the non mission-critical applications (eg offline batch processing), then those where maintainability and development are more important (eg application server modules) and the critical applications will come last.
Let's take a look at CGI development. Initially all CGI scripts were written in C. Then they moved to Perl as this provided more power. Finally there was a divergance as it moved to PHP/ASP/JSP and Servlet/AppServer/(insert code rather than page orientated here) but they both offered increased security and maintainability. However, the progression only happened once the technology matured enough to be stable and provide enough oomph.
Cold Fusion appeared early in fairy godmother trappings, promising much, and was successful for small enterprises but fell over when large corporates tried to deploy it.
You can program completely safely in assembly langage -- heck, even directly in binary using a hex editor. It's just not productive to do so. The high level C does so much of the bookkeeping for you. Similarly, using even higher level languages to achieve type safety, bounds checkinging, automatic memory management, etc. is just an extension of getting the computer to automate more of the tedious bookkeeping of programming. Isn't it worth it? For *most* applications (esp. bind) is the efficiency of C *so* inmportant?
Answered elsewhere.
Not trying to start a flamewar. Just some thoughtless remarks to piss off people who hate high level languages.
Hope that's not aimed at me, I'm currently working on a rather large and complex PHP project
Phillip.
Property for sale in Nice, France
[snip good opinion neither of us can prove one way or other]
My whole point is that the technology exists today to prevent this kind of situations. There's no kind of excuse for this kind of bugs anymore
I strongly oppose your suggestion that you can make programmers work harder and code better (if you know how, you're going to be rich). It hasn't happened in the past and I guarantee you it won't happen in the future. It's the technology that's fundamentally flawed and not the programmer.
It's no secret. Software engineering is a fusion of cutting code with process. The fact is that some programmers are better than others. The better a team is, the less process they need. Frederick Brookes recommends 40/60 coding:testing ratio (afaicr). With a good team you can reverse this ratio. Large consultancies make money by cutting costs and hiring code monkeys but enforcing lengthy process to ensure the code reaches a certain bugs-per-thousand-lines limit. You could make it part of your process to have each all submitted code audited by two other programmers for buffer over-runs. Perfectly valid alternative solution. Not as elegant a solution, but it may be more cost-effective than rewriting an entire application in a new language.
The fact is you can make programmers code better, the ones that are willing to learn. The rest you just put through more process so that better code comes out the other end. You are evidently a very good technical person thus you see technology as the flaw. I have been guilty myself of focussing on technology too much and getting tunnel vision. The danger is in losing sight of the bigger picture as we are starting to do now.
Phillip.
Property for sale in Nice, France
I suspect a Java implementation would perform acceptably too.
:-)
I'm not sure it would, though I have no evidence either way. Until recently Java applications have been fairly resource intensive, and the garbage collection has been variable (eg flushing at inconvenient times and bringing the system temporarily to a crawl). On the other hand, the progress in JVMs has been marvelous! I'm a Java programmer by profession so would love to see it get to the point where we can rewrite some of the more fundamental infrastructure apps in Java but I'm just not sure it's there yet.
If you want to volounteer your enterprise server, feel free to try dnsjava
BTW. I disagree that this is a low level application. Device drivers are lowlevel applications. You typically find them at the bottom layer of the OSI model. Bind would classify for the application layer (almost at the top).
I'm sure you're not deliberately misunderstanding me, and I'm not going to get into an argument about semantics. Yes you are right it's at the application layer. By low level I meant (sorry if I wasn't clearer) a process just left running in the background that isn't visibly noticed or really changed 99% of the time.
Then, you hammer down the fact that it is possible to create safe programs in C. But then my simple question is: why the hell do we have all these security leaks? Bind isn't an incident, it's just the latest leak to be found. Probably a solution will be provided in the form of a patch. However, this patch won't fix the fundamental problem, it will just fix the symptom and in the future more bugs will be found.
We've been over why we have security leaks previously in this thread. We have identified fundamental problem which is we need to (a) make sure programmers do not make basic mistakes or (b) ensure programmers use tools to catch these mistakes or (c) use a compiler or interpreter (note: not language) that catches these automatically.
It appears to me to be a straight shoot-out between C and Java, unless you can give us some of the "plenty of alternatives to C" (preferably ones with comprehensive libraries). Can someone who has worked on implementing a JVM indicate the performance of a machine with nameserver (along with httpd, ftd, etc) all written in Java?
Phillip.
Property for sale in Nice, France
I know apt-update was around first, but there is now a nifty utility for Redhat distros to automatically have them download and install all the updates for your particular version.
e /index.html.
It's called autoupdate, and can be found at http://www.mat.univie.ac.at/~gerald/ftp/autoupdat
Not only can it grab updates from a ftp server, but it can also snag them via NFS or whatever from one of your servers, which has already downloaded them. You don't have to download the updates twice.
So you'd just have a cron job on a Linux box which uses autoupdate to download everything from ftp.redhat.com or a mirror, and then each of your clients could run a cron job an hour later that grabs the updates from your main server.
Nothing beats writing secure code -- but since no program is perfect, you might as well have something to make upgrading software easy on yourself.
-Eric
And it has been in production longer than apt-get.
The *BSD ports with make.
BSD leads. Linux follows.
If it was said on slashdot, it MUST be true!
http://www.openbsd.org/errata.html
I do not deploy Linux. Ever.
If you want to run named as another user, recompile with the --disable-threads option to disable threading.
Sorry to hear about your security holes, but I'd rather use something that works best for me. If that means I use a non-GPL license, that's fine. If it means I use a closed-source (gasp! Horror!) program, that's fine, too.
-Legion
Redhat put updated rpm packages for 5.2,6.2,7.0 I need a 6.0 updated bind rpm? Where could I find it?
Hm, I'm in my first year of a real C++ course in high school, attempting to get a formal education in the language. I guess there must be a shortage of teachers, because the new guy they hired this year is almost totally incompetent. For one thing, what he seems to know is C, not C++, to the extent that when I pointed out we could just use a bool for one program which worked with (surprise) booleans, he was surprised that that was a valid type. Right now, we're learning from a book, with no instruction of any sort on secure code like that. That worries me.
Good thing I'm not really considering a career as a programmer...
-J
Karma: T-rexcellent.
why bother to control that? Why should anyone care if I want to run this under /usr/share/boofer_lady if I feel like it?
Friends don't help friends install M$ junk.
You forgot /etc/hosts.
Friends don't help friends install M$ junk.
It is good to breed better programmers (I hope next generation will do 1/10th of the bugs I do ). But I would also see implemented some of the long-debated-never-done methods we might already have to prevent buffer overruns to be so nasty:
Ciao
----
FB
Daemons have always been considered lowlevel, and therefore special by OS programmers. There are tons of special hooks for that reason(ie nice), and in MINIX, there's even a different task queue just for servers, between user apps and drivers.
"Hex, Bugs, and Rockn'Roll" --The Programmer's Digest
"Hex, Bugs, and Rockn'Roll"
Damn good!
--
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
Don't you mean: One Ping to rule them all, One Ping to find them, One Ping to bring them all and in the darkness BIND them. (With appologies to UF.)
I first started experimenting with djbdns back when it was DNScache. I have tried it several times. I have a large network with 6 DNS servers and a lot of domains and required interoperability with large universities bind installs. djbdns failed to make the cut on 3 separate occasions because of interoperability problems (with bind) and the requirement for many IP's (3) where bind needed only 1. We continually re-evaluate software so perhaps djbdns will make the cut someday.
Software rots when it isn't maintained or updated or when it's not allowed to be. Lets see, how many times since....1998/99 have I heard "NEW QMAIL COMING SOON". Yeah there is a new qmail, it will be here when it's good and ready, and it's real soon now
Bottom line, I use a good deal of djb software, including qmail, it's secure, very well written and works as advertised usually. I just don't believe in blindly following anything or anyone. djb software is not my savior (he is apparently yours) I use his software where it works for me in my network. I try to improve what I see needs to be improved, and I contribute where I can.
Get off your high horse before somone knocks you off. There is no one solution for anyone (vive la difference!). djbdns is more secure I'm quite sure of that. Even more secure than that is a computer that has no power, buried four feet under ground and has a horse pissing on it. I just can't get anything useful out of that computer.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Unfortunately that isn't enough. Consider following for example:
#define BUFLEN 128
char buf[BUFLEN];
sprintf(buf, "input=%s\n", input_from_user);
vs.
snprintf(buf, BUFLEN, "input=s\n", input_from_user);
Guess which one cannot overwrite memory followed by buf array. However, snprintf was not supported by standard until ISO C99. See man snprintf for more information. That printf case should be trivial by the way.
_________________________
_________________________
Spelling and grammar mistakes left as an exercise for the reader.
As far as probes go, double check some of them to make sure they're not your ISP probing to see if you are still online(you comp turned on). I used to get about 20 Netbios scans that drove my OpenBSD firewall up the wall(pun intended), until I learned that they came in regular intervals from the same IP. This is especially common if you're on @home or roadrunner, as they use dynamic IPs so if you are't online they're wasting an IP on you. I still don't allow that IP to go through, but after realizing that i found that i only get about 4 "interesting" scans a day.
Funny thing is I picked this book up and started to read it again for the 12th time. Can't beat LOTR for a good read
-mutter- something something something...
Please try to realise that these links are helpful for those of us wanting the source for bind and live in AU. Jason provides a fantastic service with aarnet and planet mirror giving Australians a fast local mirror of pretty much everything linux / unix related.
-mutter- something something something...
"The interesting this is that their marketing machine managed to hush this up so well: if it had been Cisco, they would have been toast."
Well, Microsoft (despite what it's trying to become) is hardly a mission critical systems retailer, nor a networking hardware vendor. Cisco is widely known to be the manufacturer of some of the best communications gear around.
If Cisco's network were to go down, that would say a lot more about their products than if the same thing happened to MS.
The so called telnet service is a joke.. :) .. It really is.. have you tryed it? I have. I turned it on. Then I could telnet to localhost - to a DOS prompt - great remote control options!! NOT!
I then ssh:d to a unix account on a different network. I tryed to back telnet to my win2k box. Forgetaboutit... Some message bout needing windows verification or womething... *puke*...
:)
Escape character is '^]'.
Server allows NTLM authentication only
Server has closed connection
Connection closed by foreign host.
IMHO the best remote controlling program is NetBus...
Cheers...
--
"No se rinde el gallo rojo, sólo cuando ya está muerto."
$HOME is where the
-- silver_p
Microsoft Windows Workstation allows only 1 Telnet Client License
Server has closed connection
What's your oppinion on this?..
Cheers...
--
"No se rinde el gallo rojo, sólo cuando ya está muerto."
$HOME is where the
-- silver_p
I have installed PuTTY on every single Win computer I have ever sat infront of for more than 4 minutes... Gotta love it!.. Thanx for the answers and the newsgroup... It was a long time ago I used the net command (98/99?)... mostly "net use" and "net send *" .. ;) .. I'll have to start refreshing my |-|aX0r WinXX skillz...
--
"No se rinde el gallo rojo, sólo cuando ya está muerto."
$HOME is where the
-- silver_p
How man months will it take b4 the all the system administrators upgrade their BIND. One month, 2 months. I bet we see this being exploited for a LONG time..
...that buffer overflows still exist in this code. Honestly, BIND has to be the most used piece of software on the net, and it is completely open-source to boot.
How, despite the thousands of eyes that look at it ever day, did these problems not reveal themselves earlier?
sedawkgrep
Is that a salami in my pants or am I just happy to be me?
I'm hoping that you forgot the smiley to demonstrate that you were joking.  Security through obscurity doesn't work -- never has and it never will.  Not to mention there are already tons of other sites that have either notes the problems or announced new packages for BIND.
BIND has always been the subject of security holes for awhile for many reasons. What people don't realize is that there are HOWTO's out there are doing things that can limit what an attacker can do.
If you chroot/jail bind to a directory then the attacker can not mess with the rest of the drive and they have very few applications at their disposal. It is possible to jump out of a chroot'd application if it is running as root. But to fix this, i modified chroot to allow a user and/or group to be passed in so that chroot is swapped to this user/group and runs the application as this person. This greatly limits the attacks from bind as bind has usually had buffer overflow security bugs that allow execution of data. The worse that happens now is for bind to lock up and need to be restarted.
rr
Quidquid latine dictum sit, altum videtur.
Please provide specifics on these alleged security holes in BIND 9. Thanks.
My ancestors evolved from primordial ooze, and all I got was this lousy Existential Angst!
You should not rely on the compiler/interpreter to do your bounds checking anyway, because it is just not reliable. You never know where the bounds checking ends. Take BASIC for example which performs bounds checking. An INPUT statement is checked, but an INPUT# statement turns out not to be checked. That means that if you rely on BASIC's natural bounds checking, your programs will still be vulnerable when you copy data from a device or file.
The clash of honour calls, to stand when others fall.
Yes, its the programmer's responsibility in the end to write secure code, but despite its speed and portability, C is sortof a poor choice as far as security goes, and C++ is only marginally better, because it depends so much on how a person decides to write their C++ code.
Just my two cents.
What, you think only software under the GPL can be legally used?
No, but only the GPL (and other Free licenses like *BSD, etc) allow true freedom. One of those freedoms is the freedom to distribute binaries, but Bernstein's license won't allow me to do that if my system isn't up to his standards.
Does my bum look big in this?
On inspection I found I this line started with #defile rather than the more usual #define
So what is this? Typo at release time? cosmic ray? random bit error in the ftp pipe? signature pun by truly 1337 h4x0rs after installing trojan source package? isc development team get a sense of humor and respond to being featured on /. ?
Please let me know!
--
.sigs: Just Say No!
check out bruce guenter's qmail+patches package.
here
it's got a lot of what you stated above, including all of the really useful patches already merged in, and the page includes instructions for what else you need to install to get everything working right. src rpm and src tarball are both available.
-jeremy
That comment would hold water if there were security holes. Anyone that has used Qmail or any other product from Bernstein knows that there are no security holes. If there were, people would have collected on the rewards. People need to get off of the Linux/GPL is god bandwagon. Remember it's just software, not a religion. dave
Adam Shostack summed up all the current "frequently asked and answered" questions in his paper at http://www.homeport.org/~adam/review.html.
It is worth reading if you are trying to write secure software.
Also, check out qmail for an example of well written secure software.
(Beware of Adam's other material - he is pro-linux and anti-MS, and believes that only open source software can be safe etc. etc.)
"Making linux GPL was the best thing I ever did" - Torvalds. I'd hate to see the worst thing...
What, so we should write BIND in java? Fuck that, you seem to forget that languages that provide bounds checking, are WRITTEN IN C. Its just as likely java itself has a buffer overflow in it, as the bind program. It makes no difference. The only difference is, in C, you have controll. You decide if your program is a POS with holes, of if its solid.
And second of all, I don't care if someone hacks BIND on my system, its called jail(), BSD has it, do you? I'll make sure and put some porn with my zone files, so the l33t hacker who hacks my l33t bind install gets free pron for his effort.
thanks for the info.. so now this brings up one other question, the main reason to use bind9 was for multiprocessor support (-n [number_of_cpus]) .. multiprocessor app's are usually multithreaded so the OS can take care of handing out individual threads to different CPUs.. so with threading disabled will this inturn disable the multiprocessor features aswell.
root@machine [~]: named -u daemon
named: -u not supported on Linux kernels older than 2.3.99-pre3
Real intelligent statement there with lots of arguments to back it up I see. I use whatever suits the job in question (web server, SQL server etc), including Linux, FreeBSD & OpenBSD.
No haven't heard about it; but they were down for how long because of a "misconfigured router" and then a "DoS hacker attack"
Apocalypse Cancelled, Sorry, No Ticket Refunds
Maybe. I havn't seen any in 9.x yet, but I won't get my hopes up for it to be bug free. It may just be a matter of time.
M$ stock dropped in 1/2 since last year. If you are a MCSE, you will be broke.
9 is supposed to be a total re-write.
M$ stock dropped in 1/2 since last year. If you are a MCSE, you will be broke.
I think it had more to do with the fact that this is day old news that even CNN Headline News did a story on before Slashdot posted the damn article...
"Watch these suckers jump when I get root." - l33t j03
Well, OpenBSD has a patch out on their website for BIND, maybe it isn't for these vulnerabilities?
Do you like German cars?
"OpenDNS" by the OpenBSD project.
Do you like German cars?
You said you prefferred "well designed" closed source software. How can you tell if it is well designed?
How many other security issues were resolved just because bind is opensource? Lots.
You also mention security problems "every two weeks". Opensoftware is open. The good parts are open, and the bad parts too. Nothing is hidden.
BIND apparently has a BSD-style licence so Microsoft may very well have used BIND code in their "own" software.
They have done similar things with the BSD TCP/IP stack.
With the concommitant security risk...
Vive le Québec libre, 'sti!
the question is: why is all this open source software like bind, sendmail, ftpd and such so full of bugs to begin with?
I'd rather go for a well designed closed source server than these crappy free programs that have a security problem every two weeks...
Vive le Québec libre, 'sti!
I can't find any specific reports that these vulnerabilities exist in BIND NT, nor can I find any updates. Am I just looking in the worng places, or is BIND NT not affected?
The problem is pure theory classes are frequently a little too abstract for people to really grasp, and people quickly forget the lesson. When you back up your theory with a bit of practice, IE writing some C code in an unsecure fashion then breaking it to show how easy it is; then you have something that the students will remember.
The biggest problem with security problems is that they don't show up during ANY part of the standard software development cycle (your testers generally don't have the source code to try and exploit the code with, and certainly don't have the expertise to do so anyway), so they go unnoticed for years until someone on the outside finds the hole and exploits it.
I read the internet for the articles.
I don't mean this as a troll, but it seems that BIND has more security vulnerabilities than any other piece of software.
I'd say that dubious distinction falls to wu-ftpd, but BIND is a close second.
Anyway, BIND 9 is a complete rewrite.
--
According to the mailing lists, OpenBSD's implementation of BIND4 is immune, the sprintf()s rersponsible for the overflows were changed to snprintf()s by the development team in 1997.
SoupIsGood Food
I'm of the opinion that no course should be teaching printf, writeln, or any of that. They should teach the concept and let you apply it to the language of your choosing.
:)
Sure, they should mention what buffer overruns are. But they shouldn't be teaching you how to use a particular tool - but how that class of tools work in general.
Unless of course it is a C/C++ course
Piece of cake to switch - a $TTL in one file, and a line in another file to quite a warning, and up on 9.1.
Much MUCH easier than 4->8
Whatever software you have - there's a hole in it. Somewhere. Somehow. It's just a code that hasn't been beat on enough to find it. While some software may be 'better' out of the box, it may not necessarily be completely secure.
-- There is no sig line, only Zuul.
I recommend reading Scott Wunsch's excellent Chroot-BIND HOWTO for instructions on setting up BIND in a jailed root. I sleep better at night (really) thanks to this how-to.
-Waldo
When I upgraded last night, I got an error explaining that I had to be running kernel 2.3.99 or newer. I didn't desire to patch the kernel on this particular machine, so I ended up upgrading to the newest 8.x. YMMV, but that was the result on this particular RH6.0 Intel box.
-Waldo
One INCIDENTS post suggests that there is a exploit in the wild.
So upgrade.
This was already on MSNBC and ZDNN, so all the black-hats already know.
There's a nice, if short, checklist at http://www.openbsd.org/porting.html#security
You presume that people here considers security to be important. What is the saying that someone keeps quoting? "Those who would exchange freedom for a little security deserves neither".
Let look at the track record of BIND.
1) explot every few months (followed by apologies like, "well, BIND has been out so long, it has to be secure NOW".
2) New BIND, where the authors seem to indicate that security was not part of the design critieria.
But you see, djbdns has the wrong license. It's not GPL. And people will rather be rooted than run a non-GPL software. Especially if running it would mean that one had to admit that there is actually a non-GPL software that is (Oh nooo) *better* than the GPL alternative.
If you want to see the same additude for another piece of "software", check out any discussion on Sendmail (same arguments, same security holes).
Je ne parle pas francais.
Did you read his 'license'? He has limits on distribution the same way GPL limits the distribution.
GPL limits the distribution, in the sense that if you distribute it, you have to give the source code. AND YES THIS IS A LIMITIATION.
Bernstein's license is that you can't distribute it and changing the author's (his) original wish on how the software should work. That means you cqan't arbitrary change the code, or the location of where the software is installed, and distribute and still call it qmail/djbdns.
You can distribute binaries, AS LONG AS IT INSTALL EXACTLY LIKE IT WOULD IF THE USER COMPILED AND DID A MAKE INSTALL FROM PRISTINE SOURCES.
Heck, like the GPL, if you don't like it, you can always negotiate with the author the change the license terms.
If you want talk about true freedom, talk about the BSD license.
Je ne parle pas francais.
So why don't you just turn on the telnet service or download the free SSHD for NT/2000? It's really not that difficult...
I still can't understand how in this day and age someone can waste their time complaining and not be able to figure this stuff out.
Cheers,
djbdns requires seperate machines for almost everything.
Granted I'm not a DNS wizard but I don't think this is the case. In the worst case you could say that djbdns requires separate IP addresses for everything. Except that really isn't the case anymore, as I understand it.
For all of the complaints about the Outlook/Exchange monoculture and its susceptibility to exploits that you see on slashdot, I'd really expect more people to be using things like djbdns and fixing the holes in it rather than complaining. I'd rather patch djbdns to add minimal functionality than patch BIND to fix major security problems.
Granted Berstein isn't the most affable character in the world, but I don't pick my software based on the personality of the people who write it.
ask yourself if it is as widely deployed and as widely scrutinized as bind
However, it is misleading to suggest that that is the only, or even the most important, criterion. Quantity of scrutiny has nothing to do with quality of scrutiny...as many open source software projects find out. Having millions of naive users who never look at the source code does you very little good from a security standpoint. Having ten knowledgeable people audit the source code does a tremendous amount of good. Also, djbdns has a little more than 10,000 lines of code. BIND has well over 120,000. It is much easy to verify simple software than complex software. That, combined with the relative track records of the authors of djbdns and BIND make the comparison much more difficult than simply looking at how widely deployed something is.
bind is mirrored in australia at:
PlanetMirror:
ftp://ftp.planetmirror.com/pub/bind/src/8.2.3/
AARNet:
ftp://mirror.aarnet.edu.au/pub/bind/src/8.2.3/
please try to use one of them before hitting
the ISC server.
-jason
Anyone notice how this CERT advisory comes out only a few days after Microsoft had it's DNS borked? Coincidence? I think not ;-)
deb http://security.debian.org/ stable/updates main contrib non-free
Umm, the responsible people already read bugtraq this morning and patched their servers.
--BlueLines "The cost of living hasn't affected it's popularity." -anonymous
Bind8 is in the ports. Bind4 is in the base system. There's a reason. If you'd paid any attention to the misc mailing list, where the question comes up with monotonous regularity, you'd know why: the team doesn't trust (and wouldn't audit) bind8 because it's a hideous mess.
As to timely updates, there was a patch for bind4 yesterday, even though it looks like the buffer overruns were defanged back in 1997 in a general sweep for sprintf()s.
It all depends if you have machines/IP's to spare. djbdns requires seperate machines for almost everything. If you want your load balancing DNS server run this, resolver run this, master/root server run this.
Ok if you are working from scratch. But more tricky if you want a replacement for an existing set up.
- Figure out which files and libraries the deamon needs, that is at least libc and
/etc/passwd and most likely some more.
- Make a rooted environment at e.g.
/var/named/chroot with the derectories, libraries, files and data. If the deamon calls other programs copy them too.
- TRIM everything down to (nearly) nothing. No other entries in the passwd file that root, bin and the like and (doh!) * in the passwd fields!
- start the deamon like chroot
/sbin/named ... and the deamon will believe that the worlds top is /var/named/chroot.
You can run any deamon like this, apache, sendmail, finger and whatever.:-) = I am happy
:^) = I am happy with my big nose
C:\> = I am happy with my OS
The vulnerabilities / exploit list is long! And while 9.1.0 doesn't have any known explots according to this list, I think this should be an eye-opener to people when it comes to security. Like Microsoft likes pointing out, you are unsafe with *ANY* OS if you don't stay up to date with the patches. I'm not "pro MS" or anything, but there's a lot of rhetoric on Slashdot about how Microsoft OS's are safe. The idea a lot of people get is that Linux is automatically completely safe. This is, of course, not the case. Unless you know what's going on and what has been hacked, you're leaving your system wide open.
For those who feel safe and comfortable with their home box, especially those hooked up to DSL or cabel, I strongly recommend checking out that list. It's scary and it's only bind! To keep the balance, the fix list for Win2K SP1 is even longer... and scarier..
I run a box at home that is connected to the net 24/7 on a dynamic IP without an easy-to-guess hostname and I get about 10 probes a day.. FTP, ping, SSH, telnet, http.. you name it.. I assume most boxes get the same amount.. If you have an open door, it WILL be exploited!
I doubt djbdns has received the attention that BIND has. If djbdns was used on every server instead of BIND, there'd probably be problems found with it too.
DJB is willing to bet that there won't be and even though djbdns is not in wide use, his other project, Qmail, which carries a similar guarantee is widespread even in high-profile high-risk locations like Hotmail. No security related bug has ever been found AFAIK.
Regards,
Xenna (who bets his servers on it)
Is the Secure DNS server that's part of the FreeS/WAN project ready to go? If so, does it have any of these vulnerablities? -jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
... distros like RedHat (which I use) run everything under the sun when you first install.
Which is truly annoying.
A quick way to give yourself some protection is to configure ipchains first thing to block all inbound everything except responses to things (like TCP sessions) originating inside. Then selectively expose anything you want to be reachable from outside. This limits the (initial) vulnerabilities to the servers you expose and the TCP/IP stack itself.
Even if a server like BIND is running they can't exploit it unless they can get a message to it.
(Of course once they get through a hole in one of the things you DO expose they can open up any others they want. Then all bets are off.)
When installing on a new machine you might want to go out onto the net and get any security tools and patches I might need, roll them onto a floppy, then pull your network connections and reinstall from scratch (reformatting the disk), just in case some kiddie got to the box while the initial wide-open install was running.
Of course you don't want it running open on a home network, either, since it could be used to sniff and attack other machines while it's open. But if you have any other machines you can write that floppy on one of 'em and run both the install and door-locking while the machine is connected to nothing but the power grid and sneakernet. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Its partially the language C that causes these problems because C has no bound checking on its arrays which can lead to bad situations with buffer overruns and such.
That's because C is an "enough rope" language. Others do some checking, but it costs execution speed, and they still can't block all the holes. C does JUST what you tell it, without waisting cycles on trying to save you from yourself (and giving you a false sense of security). It's up to you to tell it to do whatever checking you want done.
The problem isn't really the language. It's the standard library, which contains some input routines with buffer overflows built in. The biggest culprit is gets(). It was a mistake to put it there, and the manual page now warns you not to use it and what to use to replace it (fgets()). But now it's there, and a bunch of stuff will break if it goes away.
(Of course anything that will break is already broken. So you might want to cut it out of your own library and see what won't link. B-) )
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
"And so it begins."
"There is a hole in your BIND."
"What do you want?"
I upgraded to BIND 9 and had problems right off the bat, to say nothing of the fact it's 10X the size of BIND8. DJBDNS is one Slick package. It rawks. Very, very elegant. http://cr.yp.to/djbdns.html
BIND 9 is supposed to have been written by a "team of professionals". From where? Microsoft? Guys that were "let go" because they wrote code too buggy and bloated for M$? DJBDNS shows once again one guy with a major clue beats a "team of professionals" every time.
Thanks for getting us this far, Vix and Co., but you can sit down now.
Need Mercedes parts ?
- 486 DX/2 - 50 Mhz processor
- Only 32 MB of DRAM
- BIOS patch drivers running in real mode
- Runs a Telnet server, DNS, and web server
- Goofy BIOS/Video card combination that dies after a warm boot
This would rule it out as a candidate for real use, right? Wrong! It NEVER dies, (it can't, won't reboot except for a power cycle). I take it down for the odd service pack, otherwise it's always there.It's currently at 42 Days, it was past 150 when I took thinks down because I tweaked IP addresses for our network. (Yeah... NT needs to be reboot to work right... it's not perfect).
The point is that NT is stable, you just have to treat it like a server instead of a workstation.
--Mike--
You don't know what you're talking about. The latest djbdns has load balancing built into tinydns, the iterating resolver. Dnscache, tinydns, and axfrdns can all run on the same machine, e.g., to replicate the usual BIND installation. And please explain to me how software can "rot." Oh yes, there's a new release of qmail in the works, you got that wrong, too. Qmail is doing fine, are you a shill for ISC?
The bottom line is that if you are running BIND you're more vulnerable than with djbdns. Everyone runs bind and sendmail for the same reason that windows is installed on so many desktops, it's the default install.
"Mit der Dummheit kaempfen Goetter selbst vergebens." - Schiller
Before you run ./configure, do a "export CFLAGS=--static"
Then ./configure --enable-chroot.
make
Then go in and copy the binaries to your chroot jail.
Then go make sure your chrooted /var/run can be written as the user that named runs as.
Then go edit your zone files and add "$TTL 84000" to the top of each one.
Then start named as you did previously.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Seems like for a while there they were reporting a hole a week in Bind and Sendmail. Haven't heard much about sendmail in a while (Haven't cared, either, switched to Postfix ages ago.) Bind shows no sign of letting up though. You'd think after a certain point, they'd say "Good GOD! This code SUCKS! Let's redesign and rewrite it!"
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
This comes in two parts- 'tinydns', which only handles serving authoritative data, and 'dnscache' which only handles providing caching DNS services.
Installation is somewhat complex, but the software works like a charm once you get past that.
I do not deploy Linux. Ever.
Never trust anyone who tells you not to trust people. 0
Friends don't help friends install M$ junk.
The folks who wrote and/or maintain bind had the best of intentions. Bind code filled the need when Arpanet/Internet sites were copying around large host files. I don't wish to denigrate / attack those who helped create and maintain bind, but one cannot ignore the fact that bind is one of the larger infrastructure vulnerabilities we face today. The track record of bind v8 and previous version cast doubt on the wisdom trust bind v9.
Bind's track record clearly shows it for what it is: a bug infested and many flawed chunk of code that has lasted way past its prime. Bind is to name service as sendmail is to EMail.
Bind has and very likely continues to suffer from:
But all is not lost in the name service front. A few alternatives to bind exist now. Several more efforts are in the works as well. Time and experience will show which efforts will succeed.
For those cannot become a bind-free site now or in the near term future, there are some things you can do to minimize the damage bind code can cause. Consider the following ideas. These idea are not for everyone. This list is by no means exhaustive. You might want to:
If you treat bind with caution, you will be more likely to survive intact until a bind-free solution with a good track record presents itself.
chongo (was here)
Qmail works great if your a programmer, or if you have LOTS of time. Some people do not. Qmail works out of the box for 90% of what we do. The other ten percent could be made easier if some of the extremely common "add ons" were merged into the source.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
From an ISP point of view, you really want to do this. Servers which customers use to lookup names should not be the servers which you use to store customer zone files. This ensures that when domains get redelegated away from your nameservers, that your own customers always see the correct (i.e. as delegated) zone contents.
Qmail appears abandoned.
What a pity. I use qmail in several places and it really works well. But I won't stop using it even if it is abandoned because I have the source, and ICHI (I Can Hack It).
(Sorry, bad pun, couldn't resist :-) )
--
Fuck Censorship.
News for Geeks in Austin, TX
Does anyone here know about what (if any) compatibility issues there are going from 8.2.x (installed on most machines today) to 9.1 ?? Did they change stuff in the config file format, again?
PJRC: Electronic Projects, 8051 Microcontroller Tools
...slashdot's DNS hasn't been compromised and someone is forging the ENTIRE site and ALL the posts!!.. :)
Cheers...
--
"No se rinde el gallo rojo, sólo cuando ya está muerto."
$HOME is where the
-- silver_p
Ok, just to jump into the fray, (sorry if someone else has asked this question, but its late where I am), does anyone know how to chroot bind 9? I looked at the docs, looked on the web and have asked on the mailing list. No one seems to know. I currently run bind chrooted (I know its possible to break out, but every little bit helps) and would like to do the same with bind 9. If anyone on the bind development team reads this, or anyone who develops internet service based software (ftp, http, whatever), including documentation that details how end users can at least add an additional layer of protection when, not if, bugs and exploits are discovered, would be GREATLY appriciated. Don't get me wrong, I applaud your efforts, but sometimes finding information, even when you think you know what your doing can be kinda fustrating. 8*). Also, anyone have problems upgrading to v9? I am especially interested in anyone who is doing dynamic dns with it. Last one to upgrade is a rotten egg! 8*)
SealBeater
-- Its survival of the fittest...and we got the fucking guns!!!
You just have to wonder what recently means, 90 days? Time to cancel the LAN party and have an Update party
________
Does anyone actually have a Java program designed to control air traffic, or for the operation of a nuclear facility?
[sigh] I note that you've been moderated down as Flamebait. Apparently, someone is moderating based on emotion, not rational discussion, again.
And so've I. Despite the fact that my point was rational, intelligent, on topic and clearly posted.
Yup, we've got some wonderfully intelligent moderators these days.
It's okay. I'll just go back to the home page, hit refresh until I get moderator access (it'll only take two or three times), and then I'll fix the stupid moderation going on (in other discussions, of course).
Read the moderator guidelines, you cheese-eating dweebs.
Fire and Meat. Yummy.
But do you really think linux losers spend their time trying to find buffer overflows in software? Nah, they spend their time downloading exploits written by others, writing WinAMP skins (or whatever it is called on linux), and playing quake.
I like what the Linux losers seem to do best. They write stuff. Stuff that lets me do kewl things that impress my boss and save my IT budgets for grander things.
Like really blowing away the MCSE idiots at the office by setting up and running a domain server, web server with caching proxy, mail server, SAMBA printer server, DHCP server and NAT firewall - with an uptime that blows away the best that they've done so far with Windows 2000 - for the 17 user LAN in a division of a Fortune 500 company - for under $200.
Fine, our website only gets about 50-60 distinct hits/day. But, the server processes about 300 e-mails a day, including large AutoCAD DXF attachments. The printer attached to it is always running. And we've saturated our T1 a few times now, though the server's NAT.
Yup. <$200. Old but tough-as-nails Compaq Pentium 100 with 48 megs of mismatched SIMMs kicking around - free. 4.3 gig Maxtor IDE hard disk drive - left over from an upgrade. Operating system and ISP-on-a-disk - Red Hat 6.2, free download, $0.50 blank CD-R, ~$0.12 for bandwidth. Couple of el-cheapo PCI network cards with gold "MADE IN TAIWAN, R.O.C." stickers on them? ~$30. Time to set it up? A few hours of my time, ~$150.
Stats? Check 'em out yourself. I've cut out lines that I didn't deem necessary to judging the performance of this server.
[lwade@wwwprocessor : 0
vendor_id : GenuineIntel
model name : Pentium 75 - 200
cpu MHz : 99.717487
bogomips : 39.73
[lwade@www
1:37pm up 75 days, 19:29, 1 user, load average: 1.04, 1.05, 1.01
52 processes: 50 sleeping, 2 running, 0 zombie, 0 stopped
CPU states: 1.1% user, 2.1% system, 96.6% nice, 0.0% idle
Mem: 46848K av, 45524K used, 1324K free, 6212K shrd, 1588K buff
Swap: 153176K av, 15632K used, 137544K free 19232K cached
The nice CPU usage there is represented entirely by SETI@Home's UNIX/Linux client. If not for that, the little old Compaq wouldn't have much to do with most of its CPU cycles.
I think that the people who contribute to, and are the most ardent advocates of an operating system with that capability, can't possibly be accurately described as losers.
When you can do that with Windows (any version), with that kind of uptime, on a Pentium 100, lemme know.
Fire and Meat. Yummy.
Most security leaks are a direct consequence of using languages like C. People claim it is possible to program safely in C, however, incidents like this prove them wrong.
[sigh] I note that you've been moderated down as Flamebait. Apparently, someone is moderating based on emotion, not rational discussion, again.
Years ago, I used to be a very fluent assembly language programmer. I haven't done it in years, and I kind of lost interest in programming when I saw that the higher-level languages were taking over.
For anything that has to be rock-solid-stable and predictable, like core operating system components and security, relying on higher-level programming where your code is being mangled by a compiler and linked to potentially faulty libraries, scares the hell out of me.
Look at Windows 9x as a perfect example of why this is a problem. You install a new application. It swaps all the DLLs for its own versions. Because the DLLs are changed, anything which had a dependency on those DLLs will be affected.
What will happen?
Well, to quote Ren Hoek from the legendary History Eraser Button episode, "Maybe something bad, maybe something good. We just don't know."
Eudora has caused a fatal exception error in CTL3D.DLLFor security, the vulnerabilities are even more subtle, and I believe that they're unavoidable.
The only way to ensure that you have complete control over what is actually running is to write it all yourself. Assembled from mneumonics, not compiled from a high-level code. All your own subroutines, written in your hand, not packaged libraries and other cop-outs.
High level programming languages are great for community college programming students. But I think the 'Net would be a lot more secure if we kept them out of our operating system core components.
And yes, writing in lower level languages can take a very long time. And, during development, some of the crashes are absolutely spectacular. But if you think about how much a bug that crashes an operating system like Windows 2000 costs to productivity worldwide - especially in an economy where every hiccup of a webserver slams NASDAQ into the guardrail like a Honda Civic being edged off the road by a Plymouth TrailDuster - spending a little more time to avoid the ambiguity of compilers and linked libraries is well worthwhile.
Fire and Meat. Yummy.
- I knew about this about a day before the
/. post, and so have many other folks. Manual exploits are obviously out, and script kiddies are bound to follow within another 24 hours.
- It's posted on
/. - EVERYBODY knows!
One way or another you should upgrade because any security risk that is preventable is too much of a risk...The problem with capped Karma is it only goes down...
SIG: HUP
Even the SF Chronicle did a story before /. posted the damn article! (But there was much less useful info in the SF Gate article, other than the old bugaboo "Can bring down web sites! And whole sections of the Internet!!")
sulli
RTFJ.
Let's suppose your fairy godmother appears and offers to use her magic to make your system safe and secure.
As part of the way the magic works, in order to remove all buffer overflows and memory leaks and the like, it will cause all your programs to use twice as much cpu horsepower.
Would you take her up on the offer? Is it worth sacrificing some horsepower for security and safety?
You can program completely safely in assembly langage -- heck, even directly in binary using a hex editor. It's just not productive to do so. The high level C does so much of the bookkeeping for you. Similarly, using even higher level languages to achieve type safety, bounds checkinging, automatic memory management, etc. is just an extension of getting the computer to automate more of the tedious bookkeeping of programming. Isn't it worth it? For *most* applications (esp. bind) is the efficiency of C *so* inmportant?
Not trying to start a flamewar. Just some thoughtless remarks to piss off people who hate high level languages.
I'll see your senator, and I'll raise you two judges.
Fortunately I can ssh into my server at home, so I had it upgraded within an hour.
Another scary thing is the CERT graph showing the exploit reports for the NXT bug. I definitely don't want to have an un-upgraded BIND in the peak of that curve.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
Sorry to hear about your security holes, but I'd rather use something that works best for me. If that means I use a non-GPL license, that's fine. If it means I use a closed-source (gasp! Horror!) program, that's fine, too.
Fine by me too. Just don't cry like a girl when Bernstein comes round to your house to bitchslap you for daring to fix djbdns security holes without his permission!!
Does my bum look big in this?
It seems like this is something that needs to be taught in schools. I don't recall ANY of my professors ever talking about how to write secure code. They ought to teach the difference between printf(str) and printf("%s", str), at least.
Strangely enough, that's the extent of my knowledge on writing unbreakable code. Does anybody out there have links to some good reference material on this?
I got my Linux laptop at System76.
don't you mean...
@ .
All software has bugs. OK. BIND has a trackrecord of having security related bugs.
Or rather, track record of having known security related bugs, because it is so widely used and hence so widely scrutinized. Whatever it is that you think has less bugs because of less known security issues, ask yourself if it is as widely deployed and as widely scrutinized as bind.
Maybe we should be more forgiving to Microsoft security issues then?
As long as the patch is released in a timely fashion (which means a day or two tops), and they don't attempt to cover up the "issue", then yes we should be. Unfortunately, neither of these things describes Microsoft behavior in most cases.
The enemies of Democracy are
Add the following line to your /etc/apt/sources.list file:
deb http://security.debian.org/ potato/updates main
Then do a:
apt-get update
followed by a:
apt-get upgrade
DONE.
I don't mean this as a troll, but it seems that BIND has more security vulnerabilities than any other piece of software. I know someone brings this up on every DNS related post, but I think more people should try djbdns, with which I have been very impressed since I started using it about six months ago. I have heard that BIND 9 is supposed to be an improvement, but with BIND's history of security problems I'm not sure if I would trust even this new improved version. I think it is better to go with software that has already demonstrated its good security, like djbdns has.
---------------------------
"The people. Could you patent the sun?"
"Any fool can make a rule, and any fool will mind it."
--Henry David Thoreau
First, stay away from Bind 9. It has yet to incorporate all the features of version 8, and is still in its infancy. There are many security holes that have been found it it, and I suspect many that have not. You'd be best to stick with 8.2.3.
Second, and more importantly, DO NOT RUN A NAMESERVER AS ROOT. There are -u and -g flags when starting named that allow you to set which user the nameserver will run as, much in the same way that IRC servers are run as unpriveleged users. Then if the server is compromised, you've only lost an account and not the whole system, assuming no one will be able to hit you with a local exploit.
Interested in open source engine management for your Subaru?
How many of you think this story got posted just to use that cool icon?
--
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
If you can't remember if you're running BIND or not you probably shouldn't ;-)
~~~~~ BigLig2? You mean there's another one of me?
BSD users are still screwed if they downloaded the source and compiled from source. The changes to BSD's BIND 4 are only for those people that used open BSD's implementation of BIND4.
There are severl alternatives, and having used them all, we had to switch back to bind because of interoperative problems or performance issues. Some solutions are.....
Maybe one of these solutions will work for you.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Qmail appears abandoned. Many people are making patches, but what a pain in the ass, get the source then apply the 3 patches you need and hope they work together. Qmail is a great program, BUT if the author isn't going to keep improving it, then he should turn it loose to those that are.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
As a partially informed/ignorant Linux user, I went to see if I was running "bind"...
It's probably worth mentioning that the program "named" (as seen in the service control activity panel of LinuxConf) is "bind".
The whores get mad when the sluts give it away for free.
I switched to djbdns a few months ago because I just KNEW something like this would happen. Now I am glad I did! Bind is such a clusterf*ck. :(
http://cr.yp.to/djbdns.html
I was running bind 8 in a chroot jail and when /var/run
I built bind 9 it barfed a little, but all I
really needed to do was make the
under the chroot directory world writable. And
bind 9 complained about not having a $TTL
directive in my zone files. Once I fixed those
things, I was up and running without having to
change named.conf.
I found the following things helpful:
named -g -u <user> -t <chroot_dir>
this runs named in the foreground without
writing to log files and lets you see what's
going on with it for troubleshooting. I
also used ktrace to good effect: use truss
on Solaris, strace on Linux and ktrace on
BSDs and you'll see what named is trying to
do (in particular, which files it's trying to
open).
I'm running OpenBSD and (now) BIND 9.1
demi
Get the not yet announced RPMs of bind-8.2.3 at Red Hat's FTP-Server's Update-Section or the Mirrors. Goes back even to Red Hat Linux 5.2.
-- To bloody go where no man has gone before.
One Ring to find them,
One Ring to bring them all
and in the darkness BIND them.
Hmmm... Interesting.