Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bind 4 and 8 Vulnerabilities

Posted by michael on from the who-uses-BIND4-anymore dept.

eecue writes "The world's most popular DNS package is once again vulnerable. Even the advisory says it's only a matter of time before worms are written.... just like a couple years ago. I guess this is why i run tinydns."

14 of 402 comments (clear)

  1. Escape by Borodimer · · Score: 5, Informative

    Escape your binds, use djbdns.

    1. Re:Escape by D.+J.+Bernstein · · Score: 5, Informative
      ``I tried djbdns, and it simply did not have the functionality I needed for my application. (mainly, multiple DNS views)''

      djbdns has supported client differentiation since January 2001, version 1.04.

      For comparison, BIND 9.0.0 was released in September 2000. It was practically unusable. The BIND company now says that BIND 9.0.0 had more than six hundred bugs, many of them quite serious.

      Are you saying that you tried djbdns two years ago, had to use BIND 9's ``views'' instead, managed to survive BIND 9's bugs, and haven't looked at djbdns since? If so, take another look. Client differentiation is substantially easier with djbdns than with BIND 9.

      Or are you saying that you tried djbdns more recently, and somehow acquired the false impression that it doesn't support client differentiation? If so, how did you acquire that impression? Is there something in the documentation that could be improved?

  2. Re:tinydns: internal and external views? by dsb3 · · Score: 5, Informative

    > Does TinyDNS support internal and external views?

    Yes. This page shows you how http://cr.yp.to/djbdns/tinydns-data.html

    --

    Slashdot? Oh, I just read it for the articles.
  3. patches already available by Anonymous Coward · · Score: 5, Informative

    linx pro has more information on the exploit, including patches to fix it.

    Does MS fix their vulnerabilities that fast? Judging by the number of klez variants in my inbox, I'd say "no".

  4. Tips by ekrout · · Score: 5, Informative

    [] Most smaller networks don't need a large (and dare I say buggy) installation of BIND.
    [] May I suggest djbdns rather than BIND? Its creator says "every step of the design and implementation has been carefully evaluated from a security perspective. The djbdns package has been structured to minimize the complexity of security-critical code. dnscache is immune to cache poisoning. It is advisable to use the package as a secure alternative to BIND."
    [] May I suggest Dnsmasq , which is described by its creators as a "lightweight, easy to configure DNS forwarder designed to provide DNS (domain name) services to a small network where using BIND would be overkill".

    --

    If you celebrate Xmas, befriend me (538
  5. Or you could use bind 9... by Anonymous Coward · · Score: 5, Informative

    It's not surprising that bind 4 and 8 have the same vulnerabilities - they're based on the same code base, after all. Bind 9 was 100% rewritten, is modular, and actually *checks its inputs*, avoiding buffer overruns and such.

    It uses RFC-specified zone file format, it's extremely functional (internal/external views of DNS based on query source, TSIG authenticated DNS transactions, DNSSEC authenticated DNS records).

    In the couple of years the bind 9 code has been out there, the only vulnerabilities it's had caused the server to shut itself down immediately, as it realised something was wrong with its input. That's likely to be it's only failure mode in the future - stick a wrapper around it that restarts it when it dies, and you'll be right as rain.

  6. BIND9 by isa-kuruption · · Score: 5, Informative
    Even ISC says to run BIND 9. So why aren't you doing it?

    BIND 8.3.3 is the latest version of ISC BIND 8. We strongly recommend that you upgrade to BIND 9.2.1 or, if that is not immediately possible, to BIND 8.3.2 due to certain security vulnerabilities in previous versions. 8.3.3 contains a security fix in libbind. If you have BIND 8.x you need to upgrade.

  7. Re:Did ISS tell bind maintainers? by Black+Art · · Score: 5, Informative

    ISS did not inform any of the Unix vendors.

    They are pretty pissed about it.

    Alan Cox's response was "Well we can all express our deep regret at the inability of the ironically named ISC to work with the internet and society in all the announces."

    BTW, Bind 9 does not fix all of these probems and the fixed versions will be out next week.

    This is not the first time that ISS has released information like this without informing the vendors ahead of time.

    --
    "Trademarks are the heraldry of the new feudalism."
  8. Re:And I guess... by Zapman · · Score: 5, Informative

    This is not very valid, since this is an exploit to attack DNS *SERVERS*. Not clients with the shared libs. Besides to attack a client, they first need to get you to go to some compromised DNS server, with an application utilizing the bad resolver libs.

    Besides, there are some good security points you should be doing anyway on the server. Unless you must have it, turn off recursion:

    acl safenets { 127.0.0.1/32; your.internal.ips/??;}

    options {
    allow-transfer { safenets; };
    allow-recursion { safenets; };
    }

    between that, a solid chroot, and a solid setuid, you'll have beaten 99% of the bind problems you'll have.

    --
    Zapman
  9. Who uses bind4 anymore department? by RazzleDazzle · · Score: 5, Informative

    Answer: OpenBSD See subsection 6.8.3.1
    and read this for why

    --
    ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
    1. Re:Who uses bind4 anymore department? by grub · · Score: 5, Informative

      This just hit one of the OpenBSD mail lists from Todd Miller re: the bind exploit:

      Based on the ISS and CERT info it looks like OpenBSD's named is vulnerable. However, since named is run chrooted on OpenBSD this shouldn't be such a big deal. When bind 4.9.11 comes out we will spin a patch.

      Note that we do not appear to have the resolver buffer overflow described in http://www.isc.org/products/BIND/bind-security.htm l
      (looks like we fixed it in 1997).

      --
      Trolling is a art,
  10. Not So Strawman Worms by nweaver · · Score: 5, Informative

    Two of the attacks are DoS: You crash the server, end of story. One, the buffer overflow, can potentially execute code.

    The only "gotcha" in that exploit is that an attacker needs to control a DNS server which the victim DNS server queries. Thus it is a passive attack, the victim must query you, not the other way around.

    That is why the attacker uses a passive worm: The worm infects a DNS server, which in addition to being the local DNS server, serves as the authoritative master DNS server for some domains. When another DNS server queries the infected authoritative master, the authoritative master's response is designed to compromise the requesting server.

    This compromise is followed by a transfer of the worm code itself, and now the victimized server is now infected as well.

    As I said, this doesn't scan, which makes it particularly nice and stealthy.

    You could also make an active scanning worm as follow: There are 2 kinds of nodes, authoritative DNS servers and other DNS servers. If you infect an authoritative DNS server, the worm knows it. Otherwise, it knows the authoritative DNS server it was infected from.

    The worm "scans" by sending DNS queries (ideally with forged from addresses) which will trigger a lookup from the known corrupted authoritative server. This can then go through the net, rather noisily, and infect all servers which accept remote queries. This process can be sped up considerably by looking through the local cache for a list of all DNS servers that the corrupted machine knows about. Rough guess? Less than an hour to infect everything which can listen to the net, and you still have the passive attack to get DNS machines behind firewalls etc.

    The fortunate thing: Although the possible worms are either very fast (lots of vulnerable machines, topological speedup from using the cache) or very stealthy (no scanning at all, a contageon strategy), both techniques require a fair amount of BIND specific programming to develop and release: You need to not only craft the exploit, but keep bind running and transmit the exploit.

    So no kiddiot can simply drop exploit code into scalper.c and get it to work, instead there is a considerable amount of programming needed. So we do have a significant time window to patch machines, but they do need to be patched because it is a very "worm friendly" exploit pattern.

    --
    Test your net with Netalyzr
  11. Re:And I guess... by Phs2501 · · Score: 5, Informative
    Also, if you're serving DNS, get a good secondary DNS provider. Put them in as both your primary and secondary NS records. Then firewall port 53 and only let their hosts connect.

    You still get the same effective service without nearly as much risk of random idiots exploiting buffer overflows.

  12. Shameless plug time by Kiwi · · Score: 5, Informative
    I am the implementer of a DNS server called MaraDNS. This server was written in response to the demand for a fully funcitonal DNS server which has a open source compatible license (which tinydns doesn't). The webpage for MaraDNS is here. The 1.0.x branch has stabilized; I am currently working on the 1.2 branch of MaraDNS.

    Another option, if one does not need recursive caching is posadis. There is also pdnsd, which only provides recursive DNS service.

    Security history of various DNS servers:

    • Bind 4 and 8: multiple remote root shells
    • Bind 9: Denial of service vulnerbilities found
    • MaraDNS: Denial of service vulnerabilities found
    • Posadis: remote shell
    • pdnsd: remote shell
    --

    The secret to enjoying Slashdot is to realize that it should not be taken too seriously.