Slashdot Mirror
New DoS Vulnerability In All Versions of BIND 9
Icemaann writes "ISC is reporting that a new, remotely exploitable vulnerability has been found in all versions of BIND 9. A specially crafted dynamic update packet will make BIND die with an assertion error. There is an exploit in the wild and there are no access control workarounds. Red Hat claims that the exploit does not affect BIND servers that do not allow dynamic updates, but the ISC post refutes that. This is a high-priority vulnerability and DNS operators will want to upgrade BIND to the latest patch level."
This is very interesting. I'm sure the people behind BIND will scramble to get things sorted out ASAP, but I wonder how long it will take other vendors (Apple, I'm looking at you!) to release a patch.
I do have to wonder about exploits like this that seem initially incredibly serious, yet nothing much comes from them and they don't seem to get exploited to the extent that you might expect they would - this one reminds me of l0pht's famous claim that they can bring down the internet in 30 minutes. If this vulnerability is really as serious as they say, and as easy to exploit as it appears to be then in the wrong hands, this could really be an "internet killer"
Specialist Mac support for creative pros, Melbourne
I don't want to bash BIND but it has had a fair amount of sec issues (well a lot), try unbound or nsd instead http://unbound.nlnetlabs.nl/ http://www.nlnetlabs.nl/projects/nsd/
Well DNS operators do appear to be in a bit of a bind don't they?
Evil people are out to get you.
Was once the day whe a notice like this would kick off a flurry of migrationn plans, compiler scripting, compiling, and restarting servers in the dead of night. (and bonuses to match!)
But now?
# yum -y update && shutdown - r now
Sometimes I pine for the 'good old days'. A little. (ok, hardly at all)
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Good thing I'm using FreeDOS!
According to this document, BIND 9 has issues including being monolithic, having a "Bad Process Model", Hard to Administer and Hard to Hack. That's not a good reputation to have.
To some extent, these issues apply to everything Linux save for the last point. I am waiting for the time these points will not apply to Linux and its associated software.
I must say that understanding BIND's configuration file was not that easy for me at first but after trying several times, I can say I am almost an expert. Things can be made simpler though. A text based interactive system could be of a lot of help. Tools like Webmin come in handy too though they require that a system be running initially.
From the advisory: "Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert."...
So an obvious workaround is to only expose your slave DNS servers and to not expose your master server to the Internet. That's part of "best common practices" isn't it? You have one master and multiple slaves and you protect that master. Come on, this is pretty simple stuff. Just simple secure DNS practices should mitigate this. Yeah, if you haven't done it that way to begin with, you've got a mess on your hands converting and it's easier to patch. But patch AND fix your configuration.
Honestly, why do they insist on running such an important backbone infrastructure piece on a no longer support Microsoft operating system is beyond me.
...to Windows! DOS is just so 80's and 90's it's not funny.
(Suggested mod: +1 funny)
These posts express my own personal views, not those of my employer
Difficult compared to what? DJBDNS is much more difficult to wrangle. It's really not that bad if you attempt to learn it.
Somewhere I think djb is managing to both smile and raise his eyebrows simultaneously.
This is a reason why I want to be able to do LDAP based zone updates.
It's unlikely that, if you're running a DNS server inside of your private network, someone on the outside is going to be able to hit it. But then, like all other vulnerabilities, you combine this one with a couple of other attacks (such as a non-privileged login), and all of the sudden you've got something really dangerous. :-(
Your Servant, B. Baggins
Recent versions of BIND (8+) are not terrible to administer, and have much more reasonable data files. Older version were *really* nasty, and had a data file format so complicated that we invented a dedicated zone-transfer mechanism just so people could send DNS data to each other.
And while djbdns uses an unconventional admin system with lots of environmental variables, that's a one-time setup (that is probably done in large part by your package manager) and the actual data files are dead-simple -- plain text, one record per line, can do DNS lookups at build time, can concatenate files, etc. There are valid complaints to be made about djbdns, but I don't think "difficult to wrangle" is one of them.
It gets restarted automatically. Check system.log.
Only a fool would configure public-facing DNS servers as masters, although I've seen it done. Only the king of the land of fools would put his domain's real DNS master on a public-facing network. Thus, only domains administered by fools should be directly affected. Darwin for teh win!
# yum -y update && shutdown -r now
and pray to FSM that it comes back up.
Anybody want my mod points?
+1 hysterical
I have not received any alerts from the normal channels via email, such as US Cert, SANS, etc.. but i clearly see they have the alert posted. 8 hours in and IBM/ISS does not have a block signature we can deploy.
I noticed the brief post to NANOG and began my research and deployed.
The update to the ports tree hit shortly after the ISC update so there must be some chatter out there.
We have updated our DNS servers, do you think we can expect another upgrade with a better fix like the last round of updates?
FYI: we have not seen an attempt to be exploited, i expect this to have changed by morning.
If you're running a serious server you should always do a reboot test after installing any software. I've been burned many times by someone doing a "harmless" installation only to find out 6 months later a critical library was upgraded with an incompatible one (a recent example is expat 2.0) and the server doesn't boot like it should.
Always reboot! Even with the super slow bios you get in servers nowadays it should only take 2 minutes to be back up and running.
I reported a bug *very* similar to this back in Oct, and only now its coming to light? WTF? I submitted this back in january and it was rejected. Ah well. Here's my page on it: http://garion.tzo.com/resume/page2/bind.html
Slashdot is like Playboy: I read it for the articles
Recent versions of BIND (8+) are not terrible to administer
Try configuring dynamic DNS through nsupdate with a shared secret.
If you have an NS key, you can specify the key on the command line, or you can store the key in a file, and pass the filename.
The former is a security risk (as anyone running 'ps' can see your key). The latter? Well, someone decided that it would be a good idea to hard code metadata in the filename (even though the same metadata must be present inside the file too.) Oh, and you need two files, even though it's only using one. Oh, and you need to name the key the same as the zone in your named.conf.
Considering that I've only ever seen that level of idiocy from first year comp-sci majors, I have to wonder at the technical competence of the people in charge of writing BIND.
Does your average user have anything to worry about here? Or is this really only a concern for businesses that run their own DNS servers?
Large print giveth, and the small print taketh away
Your post reads like you'll ask for $20 to show people how THEY TOO CAN SET UP A .HOSTS FILE.
Just saying.
Also, your approach is stupid because I like to use the internet.
Don't forget to set your hosts file to read only. There's bastards out there who will rewrite it for you. Ads. I have a huge hosts file too. But it's mostly for homing out annoyances. Tip: Use Notepad++ for editing your hosts file instead of standard Notepad. The former preserves the lack-of-extent Hosts requires. The latter adds .txt, and you're stuck shuffling file names around. Nice little editor, too.
Do not mock my vision of impractical footwear
For a quick "fix":
iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'
Will block (all) dnsupdate requests.
See subject-line, & "just sayin", right back @ ya... because, it works, "exactly as advertised" with a 100% free price (especially considering I am not selling a thing & you all have one already, lol).
My approach isn't stupid in regards to that. Free? That's a "pretty good price", wouldn't YOU say? And, you're also FREE to customize it, & thus, YOUR PERSONALIZED VERSION OF A CUSTOM HOSTS FILE, JUST GOES ALONG WITH YOUR PERSONALIZED SPED UP & SAFER VERSION OF THE INTERNET... &, just as YOU see fit & like, easily. Notepad.exe for instance? My gosh - lol, just "does wonders" here, on this account... lol!
(Plus, using HOSTS files makes me FAR faster online, by double just by blocking adbanners (javascript on the rest helps too, IF it is not demanded for full function), as people will attest to that much by the truckload, go to say, mvps.org & see their forums on that note, as 1 example... & it makes me FAR SAFER too).
ALL, from a simple text file no less that you already have as long as you have a BSD derived IP stack, & you most likely do, & that YOU can completely control + customize to your liking, yourself, easily. So can anyone else, for free, same bennies, as long as you can read english & use notepad.exe (in Windows that is on the latter).
Put it this way -> I'll let others speak for me, on this account, instead, via these evidences thereof:
Even "security guru" Oliver Day @ SecurityFocus.com sees using HOSTS as a good thing for added layered security AND MORE SPEED ONLINE -> http://www.securityfocus.com/columnists/491
AND?? So do folks like "SpyBot Search & Destroy" also (since their app populates not only the HOSTS file, but, also files like Opera's Filter.ini, FireFox's block lists, & IE Restricted Zones also, for LAYERED SECURITY (this is the trend & recommended practice by security folks by the by, myself included))
Hey - Even this slashdotter, sootman, uses one & made many interesting points that support his usage of a HOSTS file, from mvps.org, here -> http://tech.slashdot.org/comments.pl?sid=1300193&cid=28677363
"Also, your approach is stupid because I like to use the internet." - by ShakaUVM (157947) on Wednesday July 29, @12:21AM (#28862259) Homepage
QUESTION: How does going almost double as fast and safer make you not be able to use the internet?
(Thanks for your answer!)
Aha, this "epiphany/revelation" just struck me... lol:
You are merely a reply from, no doubt, a webmaster worried about page adbanner hits, or an ads server marketing man, lol... ok, to that? I can only say, this:
----
The-Next-Ad-You-Click-May-Be-a-Virus:
http://it.slashdot.org/story/09/06/15/2056219/The-Next-Ad-You-Click-May-Be-a-Virus
----
That's for readers' reference... & I am certain they too, realize you are either a malware maker/botmaster/hacker-cracker/spyware-virus-rootkit maker, or "money man online" (Both it seems, are profiting by the misfortunes of others basically, by possibly infecting them... and yet making monies from them also for pageviews & adbanner hits...? A good 'hosing' of the customer, & From BOTH ends (literally & figureatively)).
Time for enough of that, I think.
APK
P.S.=> I'll gladly discuss any of this & add to that above too... that's just for starters on this "antiquity" item, being EXTREMELY useful, TODAY, & for better security AND BETTER SPEED, online, today (reliability too it looks like from this article) - & I'll do so, because I love this topic + know it actually works, & WELL!
On this? Hey man, I am, truly, "The LORD OF HOSTS", on the subject of HOSTS files, so glad to entertain any debate on them... apk
Sounds like a lot of work when you can just run Treewalk DNS and be done with it.It is fast, uses very little resources (mine is using 5Mb ATM) and never gives a bit of trouble.
ACs don't waste your time replying, your posts are never seen by me.
Using 0, as I do, is F A S T E R & more efficient than using 127.0.0.1 though (your other points are good - mine's been not only WRITE protected, but also ACL protected too (keep THAT in mind, & use NTFS)).
I can prove that to you, via you doing something as simple as loading your HOSTS into a LISTBOX (smaller one, then larger ones, or even a converted blocking address one I go into next) or using a std. compiler's language to do the File Open/Read/Close cycle, using a loop (+ a hi-resolution multimedia timer registered with the system to time it)... you can prove it, yourself, if you code.
My file has 654,000++ entries in it (200 are hardcoded favs, rest are blocked adbanner servers for speed & more security, along with KNOWN bad sites (I can supply sources if you wish, all reputable)).
Using 0, as my BLOCKING IP ADDRESS (vs. adbanner servers or known bad sites), it is only 14mb in size!
Next - going on to 0.0.0.0 instead, though smaller than 127.0.0.1, gets you to 18mb in size on my file...
Using 127.0.0.1 though, the loopback adapter? It uses some CPU afaik, because of what it is (& I am pretty sure 0 &/or 0.0.0.0 are like the NUL port in DOS, pure nada, no cpu usage or not as much), AND, it is larger by far, hitting 20mb on my file (with as many line entries, just converted via a program I wrote for that here, that also removes duplicates from it & pings my favs to keep them current).
Larger files? SLOWER, period... even when accounting for the 4kb sweeps/passes the memmgt/caching/filesystem/disk drivers utilize, because my using 0 vs. larger blocking IP addresses of 0.0.0.0 or 127.0.0.1 makes for shorter lines in a HOSTS file... meaning MORE OF IT GETS PICKED UP, per PASS/SWEEP, each sweep/pass... more mileage, more power, & even more safety. HOSTS are great for it, but doing 0 based IP address ones for blocking only makes them, the BEST they can TRULY be.
APK
P.S.=> I'd also think that since 0 hex = 0 decimal, that the decimal-to-hex & vice-a-versa that goes on shouldn't be necessary on IP addresses like 0, because if you ping a 0 blocked IP in your HOSTS file, you get 0.0.0.0 back though, so not sure on this much, though it might be a GOOD idea for design (127.0.0.1 gets converted & so does 0.0.0.0 iirc, but doing it for 0? Not needed) you save on CPU here & storage too, plus speed gains due to lack of that... LESS IS MORE, & "0"? Accept NO substitute, lol... apk
Does anyone know if CentOS 4 will have an update for BIND to ver 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1?
Why waste CPU cycles running those, when a HOSTS file does the job & users have one already, PLUS for FAR LESS COSTS cpu-wise, software-wise, etc. et al (takes zero cpu cycles, as it is not a program, but more or less a guard-filter & speed upper for favorites, that you already own too).
"Sounds like a lot of work when you can just run Treewalk DNS and be done with it.It is fast, uses very little resources (mine is using 5Mb ATM) and never gives a bit of trouble." - by hairyfeet (841228) on Wednesday July 29, @01:11AM (#28862507)
Sure, that might work & there are many alternate local DNS servers & such one can use, but per my subject-line above? Well... that & my p.s. explain my stance on it. I go faster & safer, using a little text file & an editor... it's THAT simple, & inexpensive (costs & cpu cycles wise + RAM usage possibly)...
Right now? Well... I just do NOT trust the Domain Name System like I used to, especially because of articles like this one. That includes BIND, & really, any others too. Sometimes, yes, I have to use them, even with a HOSTS file, but I minimize that, hugely & use the ones that patch first.
APK
P.S.=> Plus, seeing all this DNS poisoning, redirections, & other shenanigans such as Dan Kaminsky found last year/this year, or, this article's points too? No thanks... no offense intended, but, no thanks! apk
Any ISP's DNS that mucks about with NXDOMAIN is by definition not standard.
Is it faster for 0.0.0.0 to give you nothing or for 127.0.0.1 to give you a connection refused?
See subject line - are you talking about OpenDNS, or something else...?
(If about OpenDNS - Well, I didn't say they were 'standard' by any means, if so, show us where I did please, thanks... & - What I like about them, for what little I use them for anyhow, is that when Dan Kaminsky found the hassles in BIND last year/this year? They were patched, a.s.a.p.)
IF that is what you're referring to... that is. I must admit, I am not really sure what you mean here or in regards to what...
APK
P.S.=> I'll be awaiting your reply, & Thanks for your time... (but, if you were not addressing me, & you did so by accident (which happens)... then that's cool, forget about it)... apk
See subject-line, & rinse/lather/repeat...
APK
P.S.=> Because 127.0.0.1 is the "loopback adapter", that means it is 'doing something', even if it only points to "yourself"... it is a "loopback" mechanism. Processing occurs. Afaik? 0 & 0.0.0.0 are like the NUL device in DOS - nowhere, a waste bucket... no processing needed for that, not really.
Using 0 though? Hey, big deal, even IF you are running a webserver (because this causes some minor err msgs on some of them & some config file work can clear that or errmsgs (inconsequential ones really) & most folks don't anyhow, run Apache or IIS or whatever @ home because to do a 'real job' of it, you need a commercial account usually, or they kill you on bandwidth & brick your site, if not eventually)...
0 doesn't do as much processing on disk or as a loopback address either (& iirc, neither does 0.0.0.0 since 0 equates to that but makes for a 25% less sized HOSTS file, & thus, it is faster on disk into memory too because of that & 0, if you think about it, vs. 0.0.0.0 or 127.0.0.1 doesn't even really require a decimal-to-hex conversion really since 0 decimal = 0 hex... that'd be nice to see in the IP stack though because of efficiency if not there already though)! apk
" Your post reads like you'll ask for $20 to show people how THEY TOO CAN SET UP A .HOSTS FILE "
Still cheaper than a $35 domain from Verisign.
Need Mercedes parts ?
You DO "hear tell" of what you state though... especially the past couple years, & yes, here on this website.
(I see what you mean now, I thought you meant ME, lol... or, OpenDNS!)
I hear some of what they do is redirect banner requests or search filtering (even OpenDNS does the latter, iirc, via opendnsguide.com), but don't QUOTE me on this much, it is only operating on memory (yes, lol, more than "640K: ALL A BODY NEEDS!", lol), so the details are a bit dim on the exacting details of what little I recall... why?
I rarely really USE DNS servers, even the non-ISP/BSP ones (much less my ISP/BSP's, which are ok afaik) like OpenDNS... because of HOW I use my HOSTS file in addition to knowing my regular "surfing patterns"... as far as hardcodes, & I am certainly NOT resolving many adbanners, lol, this is sure (I go faster this way, I pay for my linetime, I want ALL of it) & I am not hitting bogus sites, because I keep this file up, daily ESPECIALLY vs. that much.
APK
P.S.=> HOSTS files, & OpenDNS do the job for me (the former? Probably a GOOD 95% of the time & F A S T, & as efficient as possible, per the format, layout, & placement of it I use)... apk
" Older version were *really* nasty, and had a data file format so complicated... "
Rememeber that this was a product of the early 1980s; Brian Reid, Director of Digital Equipment Corporation's Network Systems Laboratory ("decwrl.uucp") hired a kid, Paul Vixie, to take the buggy Berkley B-tree code and turn it into something resembling professional software. At the time even C was not even close to ubiquitous, Assembler was though and in fact the great majority of code written for the early microprocessor based systems of that era was written in assembly.
So it should not be any great shock that bind config files looked like assembly code, or that the later versions looked like C.
Frankly I found the earlier bind config files much easier to use, and the djbdns config files even easier (once you get used to them) to use, and (much) more importantly, you can write a program to manipulate these datum very easily. It's ugly and complicated with bind data files of any version.
Need Mercedes parts ?
See my subject-line above, because the TRUE "anonymous cowards" are the ones with the mod points who mod others down, but say nothing as to WHY specifically... &, if you're going to mod my post down, won't you @ least show the "intestinal fortitude" to give reasons why I am in error (I am not), or what you disagree with @ least? Thanks for your time (even a detractor's time, because you MAY have points that are reasonable, which would look better than just modding me down for no reason given, I would think @ least).
APK
P.S.=> Ah, but then? Sometimes?? Perhaps I expect "too much"... lol, "TOO EASY"... apk
Come on people, still using BIND? Why don't you use djbdns? It's easier to use and has a guarnatee!!!
Until the skies turn blue...
Until the air of freedom strikes us...
While this is true for CentOS (RHEL) and Debian-based distros, it's not universally true for others.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
There are excellent alternatives to bind.
For example, i have been using nsd for years.
Super easy to configure. Lacks recursive
resolver tho..
http://www.nlnetlabs.nl/projects/nsd/
Smugness to spare? My smugness was overflowing more than BIND9 buffers.
:).
Great opportunity to vent some smugness today
It could have been worse (and no, I haven't read the article yet). Failing an assertion means that they actually wrote an assertion that did it's job. It's impossible to know without reading the code, but this might have been a remote code execution exploit if they hadn't.
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
I am already updated. Thanks to Debian.
Why on earth is BIND shipping with assertions that cause the entire server to exit when they fail? They should just cause processing of the current request to exit.
BIND is not a typical Linux application. It was developed at Berkeley and shipped with BSD Unix, and later also with Windows.
Not a very clever bit of trolling.
You may hide your master DNS servers but your slaves are probably still master for "localhost".
dude please tell me you have a website or somethin coz that stuff is gold info & i totally dont get why they mod u down ether -> probly scared of the truth that hosts is FAST like you say because then they lose money on all ther expensive dns admin stuff if everybody jsut uses hosts
So, basically, the program can be crashed by a specially-crafted malicious update package, and the designers of the program are asking you to update the program in order to shield yourself from exploitation by updates.
I think there's a joke in there somewhere. Anybody want to give it a shot?
No it doesn't. Why do you lie ? .txt . You can open the existing hosts file by right clicking and selecting "open with" and then choose notepad. It doesn't append .txt to an existing file name.
/etc/hosts which is much quicker than trying to remember where MS hid the file on their OS.
If you create a new file it will append
I don't generally care anyway, as I can vi
Time to let go of that ancient rule that ports under 1024 are root-only.
Religion is what happens when nature strikes and groupthink goes wrong.
My approach isn't stupid in regards to that. Free? That's a "pretty good price", wouldn't YOU say? And, you're also FREE to customize it, & thus, YOUR PERSONALIZED VERSION OF A CUSTOM HOSTS FILE, JUST GOES ALONG WITH YOUR PERSONALIZED SPED UP & SAFER VERSION OF THE INTERNET... &, just as YOU see fit & like, easily. Notepad.exe for instance? My gosh - lol, just "does wonders" here, on this account... lol!
Are you the ghost of Billy Mays?
And this is why asserts should *never* go into production builds of any project. It's fine to have asserts in your debug build, but ALWAYS deal with the unexpected case immediately after your assert (which should be compiled out in release mode).
If you have no way of throwing an error and handling it gracefully back up your call stack (no, you don't always need exceptions for this), then you've done a shit job!
Today's weirdness is tomorrow's reason why. -- Hunter S. Thompson
May I have your contact information? I would like to hire you next time I need to write a come-on for an item I'm trying to peddle :P
Bot Assisted Blogging
Tip: In Notepad.exe if you surround the filename and extension with quote marks (") on your new file it will keep the extension and not append .txt
it's not an article but a security advisory. meaning _if_ you run BIND9 somewhere please do read it. ;-)
"morning is a state of mind
A diskdrive accesses around 10ms nowadays& that's FAR F A S T E R than calling on a remote Domain Name Server & getting a URL-to-IP address resolution from one (pinging them alone takes 30-60ms for returns, illustrating some of the "travel time" involved, for example). Even with a std. HDD, you're looking @ a 3-6 fold order of magnitude decrease in time taken to access a HOSTS file, vs. even talking to a remote DNS Server.
(Mine does so here, FAR FASTER, @ .01ms (since I house my HOSTS file on a Gigabyte IRAM SSD) after altering the DataBasePath Parameter here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters))
My time savings right there alone is gigantic vs. using remote DNS servers for URL-to-IP address resolution from a local HOSTS file, & especially for how I have my HOSTS file setup here?
That certainly doesn't take me 30-60ns... FAR from it/many orders of magnitude less...
APK
P.S.=> YOU should really read what Dan Kaminsky's found about DNS servers, as well as about "DNS Poisoning" as well as this very article also (because in case you haven't noticed? Trusting DNS servers, especially lately, isn't the "greatest idea" )... apk
"I suspect you were modded down because you are grossly off-topic." - by Anonymous Coward on Wednesday July 29, @07:12AM (#28864183)
How so? I mention how using a HOSTS file completely allows me to escape using potentially "poisoned" or otherwise faulty remote DNS servers (especially for my favorite websites, & anyone can do this also, easily).
----
"This is a news story about a vulnerability in an open-source DNS server, not what kind of retarded Windows configuration 'APK' is using." - by Anonymous Coward on Wednesday July 29, @07:12AM (#28864183)
Right - & my setup allows me to quite often (most times in fact, for how I surf specifically especially, since I hardcode 200 or my fav. websites in my HOSTS file) to dispense with using remote DNS servers altogether - minimizing my traffic to them, & dependence upon them (especially DNS servers that are poisoned or otherwise faulty (OR NOT)).
APK
P.S.=> HOSTS files help that way... apk
Also - Once my HOSTS file data is in RAM (be it the local diskcache OR the local DNS Client cache service)? I am going @ "the speed of RAM"...
Which is FAR FASTER than 30-60ms to call out to a remote DNS Server for a URL-to-IP address resolution!
Plus - again, how I set my HOSTS file up, on a SSD?
I am F A R Faster on access/seek for the File Open/Read/Close I-O cycle by far (especially since I minimize this by using 0 as my blocking IP address, vs. the longer & slower 0.0.0.0 + especially the 127.0.0.1 "loopback adapter"), with only a .01ms access/seek time & the file read doesn't take 60ms to achieve, far from it, even on the initial read (& once cached? FAR FASTER STILL yet again). Even folks with a std. mechanical HDD only take 10ms or so to access a file, & that alone is 3-6x as fast as calling out to remote DNS servers for URL-to-IP address resolutions also.
(So much for your "arguments"... &, of course, there is also testimonials from the likes of Mr. Oliver Day @ SECURITYFOCUS.COM who also says he notices that using a HOSTS file has him going F A S T E R online than he did without one too... plus, safer, especially if KNOWN BAD SITES or SERVERS are blocked in a HOSTS file)
"NEXT...", lol...
APK
P.S.=> Following up on what I wrote to you in reply initially, here -> http://it.slashdot.org/comments.pl?sid=1318247&cid=28864643 w/ this additional data... apk
Isn't 0.0.0.0 the broadcast address? Likely blocked by your router then. Comma si, comma sa.
It's generally in c:\windows\system32\drivers\etc
Do not mock my vision of impractical footwear
Dunno, every time I use 127.0.0.1 all I see is a ton of porn...
the only thing stupid is not using this host file
Per my subject-line above? See this testimonial to HOSTS files effectiveness on increased speed alone (let alone more security by blocking out KNOWN bad sites &/or servers):
http://www.securityfocus.com/columnists/491
Resurrecting the Killfile Oliver Day, 2009-02-04
PERTINENT QUOTE/EXCERPT:
----
"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet particularly browsing the Web is actually faster now"
----
As the saying goes? "NUFF SAID...", as the REAL 'BOTTOM-LINE' is about results...
APK
P.S.=> "NEXT...", lol - apk
Glib Gibbs said it was $15. Just sayin'.
Notepad doesn't change the names of existing files, but it does seem to like to force the .txt on new files that it creates.
I don't think 0.0.0.0 is the broadcast address. The only time I've ever seen it used is in combination with a /0 netmask to stand for "all addresses" e.g. 0.0.0.0/0 I believe the broadcast address is generally the last IP in the subnet, so if you're on 192.168.1.0/24, your broadcast would be 192.168.1.255.
I'm no network guru, so maybe I'm off a bit too, but I think I'm closer. I'm sure others will be more than happy to correct me. :-)
"I know that every word that man just said is true, because it's EXACTLY what I wanted to hear." -- Space Ghost
... about a security flow in MS DOS nowadays ?
"man ure so deep you relly sshould make a blog or a twitter or something" - by Anonymous Coward on Wednesday July 29, @10:35AM (#28866195)
Heh, thanks... but, well - NOT really: Most ANY network tech or admin even (users with a better password really, because they only USE tools guys like myself, software engineers/coders/programmers write for them to USE) knows about this even...
So, that "all said & aside"?
Well - I cannot put it any better than this:
"Learn to know the dark side of the force and you will achieve a power greater than any Jedi." - Darth Sidious/Emperor Palpatine (last of the SITH)
http://www.entertonement.com/clips/msydsyxplv--Learn-to-know-the-dark-side-of-the-force-and-you-will-achieve-a-power-greater-than-any-JediStar-Wars-Episode-III-Revenge-of-the-Sith-Ian-McDiarmid-Supreme-Chancellor-Palpatine-
Jedi's being my "naysayers" here, & whom I strongly suspect, are merely techies &/or network admins/engineers @ best/most... not coders (who ARE the "sith lords" basically, since many of us, like myself, have done THEIR JOBS, and written the code they merely USE)... period!
APK
P.S.=>
"i hope evry1 woud use HOSTS instead of crappy slow and insecure dns servers then the internet would be a better place." - by Anonymous Coward on Wednesday July 29, @10:35AM (#28866195)
As is, right now, what with Dan Kaminsky's findings on DNS server faults, as well as this article's points (& network solutions being pilfered this week also, & afaik because of DNS poisoning)? They work... & do anyhow, for superior speed, & security online.
Evidence thereof, per Mr. Oliver Day of SECURITYFOCUS.COM:
----
http://www.securityfocus.com/columnists/491
RESURRECTING THE KILLFILE:
"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet particularly browsing the Web is actually faster now."
----
Since "my word here" is apparently, NOT good enough? You have Mr. Days as well, saying exactly what I have pretty much (& I am fairly sure he has read my security guide also & agrees with my points in it about HOSTS files value for BOTH added speed, AND SECURITY, online today (especially today in the era of the poisoned DNS server, or malicious sites + adbanners))... especially in LIGHT of this article about DNS troubles, AND this one (bad adbanners):
----
IT: The Next Ad You Click May Be a Virus
http://it.slashdot.org/story/09/06/15/2056219/The-Next-Ad-You-Click-May-Be-a-Virus?from=rss
---- ... apk
"The Dark Side of the Force is a pathway to MANY abilities, some consider to be... unnatural!" - Darth Sidious/Lord Palpatine, last of the SITH LORDS...
Or, my 'naysayers' really in THEY essentially being "the jedi"... what I propose here is often beyond their limited "I read it in a manual or a forums & that MUST be the 'only way' or 'best way'" type b.s. they try to pass off as "know-how"... lol! They're merely "users with a better password", who merely USE what guys like myself (who have done their job, & FAR MORE, as a coder/software engineer/programmer as well as network engineer/admin/tech too in my time professionally in this art & science) created for them to USE... & that is about it.
They're SEVERELY "limited in scope" as to their abilities, period. At least by comparison to coders... by far.
HOW CAN I SAY THAT? Simple, look @ their suggestions & my replies in rebuttal (I easily shut them down on every point, with proofs or tests they themselves can try even (IF they could code, most of them? Cannot... limited!)
"You must break thru the fog of lies the jedi have created around you. Let me help you to know the subtleties of the force...Anakin, if one is to understand the 'great mystery' one must understand, ALL OF ITS ASPECTS... NOT just the narrow, dogmatic view of the Jedi: IF you wish to become a wise leader, one must embrace... a LARGER view of the force..." - Darth Sidious/Lord Palpatine, last of the SITH LORDS...
(Especially in light of this article, plus Dan Kaminsky's findings regarding problems in DNS servers, as well as Network Solutions going batty this week (iirc, & afaik, due to DNS poisoning in part (don't quote me on that though)) PLUS the fact that a HOSTS file does make you go faster, period, to which I also provide not only my own testimony thereof, but that of noted others + others responses here too?)
Hey - Well... read on:
"Duuude, by the time you setup your host file for all the sites you visit, the Internet age will be gone....Talk about "FAST"." - by flibuste (523578) on Wednesday July 29, @11:37AM (#28867215)
Not true, because MANY reputable sources for HOSTS files that already work well, exist, such as the one @ WIKIPEDIA (steer clear of the ones from FRANCE though):
http://en.wikipedia.org/wiki/Hosts_file
AND, to further populate it for security? You can use sites like these (excellent for it):
ZDNet's Mr. Dancho Danchev's weekly blog -> http://ddanchev.blogspot.com/
SRI -> http://mtc.sri.com/
& others, such as "Spybot 'Search & Destroy'", which also populates your HOSTS file (plus, Opera's filter.ini, FireFox/Mozilla's internal to browser 'block lists' as well as IE's "restricted zones" too...
(Stopbadware.org is good too - they're essentially, GOOGLE or partnered w/ them, afaik...)
APK
P.S.=> "The Dark Side of the Force is a pathway, to many abilities... some consider to be, 'unnatural'" but, it works for MANY abilities, including being faster & safer online (& this thread has plenty of evidence from myself + others to that effect as proof thereof, such as Mr. Oliver Day from SECURITYFOCUS.COM) but, "Is it possible to learn this power?" & answer is "NOT FROM A JEDI" - the 'jedi' being these 'users with a better password only at best/most' in network techs/network admins, with their LIMITED scope & knowledge in this field (as opposed to the TRUE 'sith', in coders/programmers/software engineers, who invent the tools those same "jedi" MERELY USE, but do not create, themselves, period)... apk
I work for a major DNS provider currently doing DNS administration. I have reviewed the current exploit as well as the prior exploit release (that "is" practically the same) as released by John Sutherland originally against multiple versions of Bind 9. While the ACL's do not appear to be respected per the updates requested, which seems to have a lot of people concerned that this will affect their public facing name servers, it does appear that the dynamic update has to be accepted. Hence, you DO need to know the tsig key and then query for the succesfuly updated record before the assertion error will cause BIND to cease running. If anyone can prove me wrong, it would be much appreciated.
Again, you:
1) Need to send the dynamic update to an IP that is listening for updates on the target BIND server
2) You do need to know the correct tsig key to have the update accepted
3) You do need to query the updated record IN ANY for the assertion error to actually be presented
Please explain how this is that concerning? Who exactly can immediately guess or can brute force tsig keys for a specific server before IDS or even the human eye notices all the denied update requests coming in?
This vulnerability should be attributed to its original discover, John Sutherland first off. And secondly, its by no means the end of the world unless someone has more info on this that isn't being disclosed to the public. And no, I do not work for the same company as Mr. Sutherland, I actually work for a competitor for any of you that think this is a shameless promotion. I'm just saying that fair is fair and he did discover it first.
Per my subject-line above, & this quote from you:
"You should really read up on data structures, using a hash map which I guess most DNS-servers use is a LOT faster than searching through a hosts file." - by erikdalen (99500) on Wednesday July 29, @04:27AM (#28863433) Homepage
Especially considering THIS VERY ARTICLE is about their faultiness (dns server hassles & bugs)? Hey... lmao, @ that quote, from you above! Why/How?
Simple: Especially considering the facts in my other 3 replies to you, as well as Kings Jowkers success in using a HOSTS file too, which was in reponse to that which I quote above (plus Mr. Oliver Day's of SECURITYFOCUS.COM who also recommends HOSTS files for better speed & security too as I have)?
----
About HOSTS files loads from disk speed, even SSD's as I do (even faster), vs. time taken for calls to remote DNS servers (many times faster how I do it using a CUSTOM HOSTS FILE, period, without the possible poisoning or misdirects that DNS servers obviously have been showing, PER this article & others)
http://it.slashdot.org/comments.pl?sid=1318247&cid=28864643
----
On DNS local client cache, OR, even a diskcache subsystem, speeding up what I noted in my url just above this one (even moreso):
http://it.slashdot.org/comments.pl?sid=1318247&cid=28865197 (DNS local client cache, OR, even a diskcache subsystem, speeding up what I noted in my url just above this one, even moreso)
----
Mr. Oliver Day's successes in gaining more SPEED using hosts files (as well as better LAYERED security too):
http://it.slashdot.org/comments.pl?sid=1318247&cid=28865727
----
As well as "sootman"'s (he is a member here who uses a HOSTS file successfully) take on HOSTS file (he is also a user here that uses one, the model from mvps.org, whose forums you MAY wish to look @ also, in regards to successes folks have had using HOSTS files for more speed, and security, online today (especially today, in the era of the poisoned DNS server, &/or bogus adbanner ads + bad websites)):
----
http://tech.slashdot.org/comments.pl?sid=1300193&cid=28677363
----
Then, there is the issue of bogus adbanners (which if you block them? You go faster online, by almost DOUBLE no less, & safer by far also, per the above):
----
IT: The Next Ad You Click May Be a Virus:
http://it.slashdot.org/story/09/06/15/2056219/The-Next-Ad-You-Click-May-Be-a-Virus?from=rss
----
?
Given ALL of those?
Well - You MUST consider the findings of Dan Kaminsky & holes in DNS he has found, as well as "DNS poisoning" itself, AND THIS VERY ARTICLE's CONTENT here today in which we are replying, as well...
APK
P.S.=> Keep trusting DNS servers alone, because as this article notes? They are faulty, & they ARE under attack... & you get, what you get (like this article shows, as just 1 single example, for securities' sake - let alone the speed gains HOSTS files give you, along with being able to reach your fav. sites, even IF your DNS goes down to exploits such as this article shows)... apk
I can't tell after reading the ISC release and various other documents how this exploit takes place. I have a machine with UDP port 53 publicly visible, but TCP port 53 is firewalled off against all IPs except the machines under my control. Is this a UDP or a TCP exploit?
Someone above posted an iptables rule that applied to UDP port 53. Is that correct?
"Dunno, every time I use 127.0.0.1 all I see is a ton of porn..." - by Anonymous Coward on Wednesday July 29, @09:30AM (#28865293)
Ahem: (cough - "BULLSHIT!" - cough!)
(Are you running your own Pr0n server or something?)
Try 0 or 0.0.0.0 instead, as "blocking IP addresses" in your HOSTS file, vs. bogus sites (simply because they're smaller, & more efficient than 127.0.0.1 is anyhow)...
APK
P.S.=> Still, just based on the rest of your replies here? To be BLUNT about it?? Well, I think you are full of it - Well, unless YOU have something very odd going on in your system, as is, already, beforehand (which is, quite possible)... apk
See my subject-line above...
APK
the broadcast address is the number where all bits of the host segment are one. a subnet isn't necessarily an "octet," especially in classless systems. 0/0 is interpreted by many network stacks in the same way as localhost, but it's the network or "network discovery" address for the internet IPv4 space.