Slashdot Mirror
New DoS Vulnerability In All Versions of BIND 9
Icemaann writes "ISC is reporting that a new, remotely exploitable vulnerability has been found in all versions of BIND 9. A specially crafted dynamic update packet will make BIND die with an assertion error. There is an exploit in the wild and there are no access control workarounds. Red Hat claims that the exploit does not affect BIND servers that do not allow dynamic updates, but the ISC post refutes that. This is a high-priority vulnerability and DNS operators will want to upgrade BIND to the latest patch level."
This is very interesting. I'm sure the people behind BIND will scramble to get things sorted out ASAP, but I wonder how long it will take other vendors (Apple, I'm looking at you!) to release a patch.
I do have to wonder about exploits like this that seem initially incredibly serious, yet nothing much comes from them and they don't seem to get exploited to the extent that you might expect they would - this one reminds me of l0pht's famous claim that they can bring down the internet in 30 minutes. If this vulnerability is really as serious as they say, and as easy to exploit as it appears to be then in the wrong hands, this could really be an "internet killer"
Specialist Mac support for creative pros, Melbourne
Was once the day whe a notice like this would kick off a flurry of migrationn plans, compiler scripting, compiling, and restarting servers in the dead of night. (and bonuses to match!)
But now?
# yum -y update && shutdown - r now
Sometimes I pine for the 'good old days'. A little. (ok, hardly at all)
I have no problem with your religion until you decide it's reason to deprive others of the truth.
According to this document, BIND 9 has issues including being monolithic, having a "Bad Process Model", Hard to Administer and Hard to Hack. That's not a good reputation to have.
To some extent, these issues apply to everything Linux save for the last point. I am waiting for the time these points will not apply to Linux and its associated software.
I must say that understanding BIND's configuration file was not that easy for me at first but after trying several times, I can say I am almost an expert. Things can be made simpler though. A text based interactive system could be of a lot of help. Tools like Webmin come in handy too though they require that a system be running initially.
I reported a bug *very* similar to this back in Oct, and only now its coming to light? WTF? I submitted this back in january and it was rejected. Ah well. Here's my page on it: http://garion.tzo.com/resume/page2/bind.html
Slashdot is like Playboy: I read it for the articles
PowerDns for the win. Plus it reads legacy BIND zone files.
Why? You're DNS servers are clustered and load balanced right? rrright? Those of us that need our infrastructure up don't think twice about rebooting even during the day! A golden age we live in indeed when I can just take the server out of the load balancer rotation, apply updates, perform reboot rest, and then put it back into rotation repeating the steps for all servers in the cluster.
Why on earth is BIND shipping with assertions that cause the entire server to exit when they fail? They should just cause processing of the current request to exit.
You may hide your master DNS servers but your slaves are probably still master for "localhost".