Slashdot Mirror

← Back to Stories (view on slashdot.org)

New DoS Vulnerability In All Versions of BIND 9

Posted by kdawson on from the binding-with-briars-my-joys-and-desires dept.

Icemaann writes "ISC is reporting that a new, remotely exploitable vulnerability has been found in all versions of BIND 9. A specially crafted dynamic update packet will make BIND die with an assertion error. There is an exploit in the wild and there are no access control workarounds. Red Hat claims that the exploit does not affect BIND servers that do not allow dynamic updates, but the ISC post refutes that. This is a high-priority vulnerability and DNS operators will want to upgrade BIND to the latest patch level."

135 of 197 comments (clear)

  1. Interesting by PhunkySchtuff · · Score: 2, Interesting

    This is very interesting. I'm sure the people behind BIND will scramble to get things sorted out ASAP, but I wonder how long it will take other vendors (Apple, I'm looking at you!) to release a patch.

    I do have to wonder about exploits like this that seem initially incredibly serious, yet nothing much comes from them and they don't seem to get exploited to the extent that you might expect they would - this one reminds me of l0pht's famous claim that they can bring down the internet in 30 minutes. If this vulnerability is really as serious as they say, and as easy to exploit as it appears to be then in the wrong hands, this could really be an "internet killer"

    --
    Specialist Mac support for creative pros, Melbourne
    1. Re:Interesting by d3matt · · Score: 2, Informative

      so... any BIND server would be down for a bit... anyone with a caching name server would still be able to surf.

      --
      I am d3matt
    2. Re:Interesting by houstonbofh · · Score: 2, Interesting

      Only to sites already cached. The more unusual sites would just be all gone. What do you bet http://downforeveryoneorjustme.com/ is not cached by your DNS server right now?

    3. Re:Interesting by Minwee · · Score: 5, Funny

      It is now.

      This vulnerability also gives the three people running DJB DNS a much needed opportunity for some smugness.

    4. Re:Interesting by kriebz · · Score: 5, Funny

      I was under the impression they had smugness to spare.

    5. Re:Interesting by HARRRRRR · · Score: 1

      *bzzzzt* sorry pal...

      you're assuming nobody follows rfc1912.

      also, what happens when the (ridiculously configured) host you're trying to browse goes to do a reverse lookup on your address?

    6. Re:Interesting by rs79 · · Score: 1

      " This is very interesting. I'm sure the people behind BIND will scramble to get things sorted out ASAP, but I wonder how long it will take other vendors (Apple, I'm looking at you!) to release a patch. "

      I'd be less concerned about that than I would be about how long it will take for people to do something about this on their nameservers. IMO the best update to BIND is DJBDNS but that's just me.

      Either way, there are FIVE HUNDRED THOUSAND nameservers out there. Some of them still run Bind 4.7.

      --
      Need Mercedes parts ?
    7. Re:Interesting by MrMr · · Score: 1

      Now it is.

    8. Re:Interesting by QuantumRiff · · Score: 1

      Only when they run DJB DNS on their macbooks...

      --

      What are we going to do tonight Brain?
  2. Use Unbound or NSD by nwmcsween · · Score: 5, Informative

    I don't want to bash BIND but it has had a fair amount of sec issues (well a lot), try unbound or nsd instead http://unbound.nlnetlabs.nl/ http://www.nlnetlabs.nl/projects/nsd/

    1. Re:Use Unbound or NSD by medlefsen · · Score: 5, Informative

      or djbdns. We use it where I work and other than a slight adjustment to djb-land it has been wonderful. I know people appreciate how powerful BIND is and maybe some people need that. I suspect though that most people just need their DNS servers to serve their DNS records or provide a caching DNS server for local lookups and for that BIND seems to be bloated and insecure.

    2. Re:Use Unbound or NSD by buchner.johannes · · Score: 1

      for dns caching, dnsmasq is nice too, but I'm not certain that it has a good security history.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    3. Re:Use Unbound or NSD by abigor · · Score: 2, Interesting

      PowerDns for the win. Plus it reads legacy BIND zone files.

    4. Re:Use Unbound or NSD by TheLink · · Score: 1

      I'm certain dnsmasq does not have good security history.

      Google for: dnsmasq vulnerability

      --
  3. Well.. by TechyImmigrant · · Score: 2, Funny

    Well DNS operators do appear to be in a bit of a bind don't they?

    --
    Evil people are out to get you.
    1. Re:Well.. by num42 · · Score: 1

      I was BOUND but then i became UNBOUND by PowerDNS. ;-)

      --
      "morning is a state of mind ;)"
  4. Ain't what it used to be.... by mcrbids · · Score: 3, Interesting

    Was once the day whe a notice like this would kick off a flurry of migrationn plans, compiler scripting, compiling, and restarting servers in the dead of night. (and bonuses to match!)

    But now?

    # yum -y update && shutdown - r now

    Sometimes I pine for the 'good old days'. A little. (ok, hardly at all)

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
    1. Re:Ain't what it used to be.... by MichaelSmith · · Score: 1

      You seem to be just taking all changes and rebooting. I do that all the time on my ubuntu laptops but I wouldn't manage my servers that way.

      Having said that patching in netbsd will require a compilation at my end. It would be nice if I could just update a package. The infrastructure is right there for it...

      --
      http://michaelsmith.id.au
    2. Re:Ain't what it used to be.... by ScytheBlade1 · · Score: 4, Informative

      I'm just hoping that CentOS pushes out the update before 10:00 PM MST today.

      Why?

      So I'll get my daily e-mail status update, telling me to do just that: run yum, and then restart (just bind) -- as opposed to seeing it tomorrow.

      As a footnote, it is generally a good thing to subscribe to whichever vendor's security-announce list that you use. It is really nice getting e-mail notifications of security-related package updates. CentOS has one, right here: http://lists.centos.org/mailman/listinfo/centos-announce

    3. Re:Ain't what it used to be.... by lordkuri · · Score: 4, Insightful

      Why in the holy hell would you reboot a server to put a new install of BIND into service?

    4. Re:Ain't what it used to be.... by palegray.net · · Score: 4, Insightful

      Because modern-day admins don't know how to restart a service?

      Oh, wait, these are fellow Linux "admins" we're talking about...

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    5. Re:Ain't what it used to be.... by DeathElk · · Score: 1

      And hope to hell you've got some sort of LOM for when your server doesn't come back up.

    6. Re:Ain't what it used to be.... by QuoteMstr · · Score: 1

      The strange thing is that he used shutdown -r now instead of this newfangled reboot the kids like to type. If you know what shutdown does, you should know when to not use it.

    7. Re:Ain't what it used to be.... by Olmy's+Jart · · Score: 1

      This isn't Windows...

      # yum -y update named\* && service named restart

      (Not sure if yum [or apt] would restart named and NOT willing to take the chance.)

    8. Re:Ain't what it used to be.... by houstonbofh · · Score: 2, Funny

      Remember when "shutdown -rfn" would work? Ahh... The days of youth.

    9. Re:Ain't what it used to be.... by Antique+Geekmeister · · Score: 2, Insightful

      Because you may have a stack of other pending updates, particularly kernels, and this has been the first "gotta switch" update in quite some time for those core servers? Also because without the occasional reboot under scheduled maintenance, it's hard to be sure your machines will come up in a disaster. (I've had some gross screwups in init scripts and kernels cause that.)

    10. Re:Ain't what it used to be.... by c0y · · Score: 1

      Because the OP probably had a lingering kernel update anyway. They come out with enough regularity that, despite having been current on my boxes sometime in the last two weeks, I found another one after returning from vacation this weekend. It wasn't critical and not worth taking the time for immediate action on. Still, I'm not that brave. I like to examine yum a little more closely.

    11. Re:Ain't what it used to be.... by secolactico · · Score: 3, Informative

      You seem to be just taking all changes and rebooting. I do that all the time on my ubuntu laptops but I wouldn't manage my servers that way.

      More so because some package managers (such as CentOS) tend to replace customized init.d files with the stock ones (renaming the ones you had). This is not really a big deal, but it sometimes breaks some services.

      --
      No sig
    12. Re:Ain't what it used to be.... by Elshar · · Score: 1

      I see that there's several versions of BIND in the pkgsrc binary packages tree, wouldn't a new patched one show up there fairly quickly? That would solve you having to recompile anything. Not that BIND generally takes a long time to compile on fairly modern hardware..

    13. Re:Ain't what it used to be.... by MichaelSmith · · Score: 1

      You are right but I would have to find a clean way to uninstall the built in one. Otherwise I might pick up part of the wrong version. I think the debian approach of putting much or all of the base system inside built in packages makes upgrades a lot easier.

      --
      http://michaelsmith.id.au
    14. Re:Ain't what it used to be.... by FishWithAHammer · · Score: 3, Funny

      I never heard that one, but please tell me it stands for "Right Fucking Now."

      --
      "You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
    15. Re:Ain't what it used to be.... by mcrbids · · Score: 1

      Because modern-day admins don't know how to restart a service?

      Oooh! Oooh! I think I can get this one! Either of these should work:

      # service named restart;
      # /etc/rc.d/init.d/named restart;

      But... if you have a properly designed network, why the **** wouldn't you reboot your name server? Given that there are minimally TWO of them registered for your domain name, that the DNS protocol is designed to seamlessly fail over in the event of a failure, rebooting the name server will have no discernible effect for any end user, but will provide assurance that all libraries and settings have taken full effect, as the O/S vendor intended.

      I have 4 name servers, and move them around as needed to ensure low-latency, redundant connections. Fault tolerance is most important. Any server or network can go down and still result in my ability to change DNS and publish globally on short notice in the event of a severe outage. A single nameserver being down for the ~ 1-2 minutes it takes to reboot is a non-issue.

      Downtime: 0

      Peace Of Mind: 1

      You tell me, (ahem) ninja super-admin-who-knows-how-to-(re)start-a-service?

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    16. Re:Ain't what it used to be.... by palegray.net · · Score: 1

      Sure, you should have four authoritative nameservers. There is still no excuse for bouncing an entire box when a simple service restart is completely sufficient. Do you honestly issue a host restart every time you want [insert DNS daemon here] to kick over? If you do, you're completely retarded.

      Assuming you have failover for other services running on your network (as you probably should if you're working in an organization that gives two rips about service availability), do you restart entire servers each time you want to bounce Apache?

      Have a cold beer and think about this for awhile. Please refrain from touching any keyboards until you've figured it out.

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    17. Re:Ain't what it used to be.... by palegray.net · · Score: 2, Funny

      I think I'm going to alias "reboot" to 'echo "go read some man pages and come back later"' on a bunch of servers now :)

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    18. Re:Ain't what it used to be.... by FireFury03 · · Score: 2, Insightful

      More so because some package managers (such as CentOS) tend to replace customized init.d files with the stock ones (renaming the ones you had). This is not really a big deal, but it sometimes breaks some services.

      If you are modifying packaged files that aren't marked as %config in the RPM spec then you're doing it wrong. 99% of the time you don't need to modify those files anyway, the other 1% of the time you really should be building a custom package and adding it to yum's exclude list.

      --
      http://blog.nexusuk.org
    19. Re:Ain't what it used to be.... by FireFury03 · · Score: 1

      Because modern-day admins don't know how to restart a service?

      Oooh! Oooh! I think I can get this one! Either of these should work:

      # service named restart;
      # /etc/rc.d/init.d/named restart;

      Properly designed packages do "service foo condrestart" on upgrade anyway, so most of the time you don't need to manually restart anything.

      But... if you have a properly designed network, why the **** wouldn't you reboot your name server? Given that there are minimally TWO of them registered for your domain name, that the DNS protocol is designed to seamlessly fail over in the event of a failure, rebooting the name server will have no discernible effect for any end user,

      I'm afraid you're wrong. If one of your DNS servers disappears, stuff will continue to work *slowly*. If you have 2 NS records then each server will get 50% of the requests. That means that 50% will go to the dead server and have to wait for a timeout before trying the working one.

      There are other reasons for not rebooting - restarting bind takes approximately 2 seconds, rebooting one of my servers takes several minutes. As with all reboots I then have to spend time checking that all the other services on the box came back up ok (yes, they should, but these things don't always work so you have to check).

      but will provide assurance that all libraries and settings have taken full effect, as the O/S vendor intended.

      There is only one OS vendor I can think of who intends you to reboot after anything gets updated, and they don't do Linux distributions...

      --
      http://blog.nexusuk.org
    20. Re:Ain't what it used to be.... by Anonymous Coward · · Score: 1, Informative

      Still works, according to shutdown(8) on CentOS.

      -r : reboot
      -f : skip fsck
      -n : don't go through init, just kill everything

      Would be a pretty fast way of rebooting, especially if you have lots of slot K* scripts in /etc/init.d/*

      It's not recommended, though, because you never know how much "just kill everything" is going to destroy... Corrupt files, etc.

    21. Re:Ain't what it used to be.... by ChristofferC · · Score: 1

      telinit 6

    22. Re:Ain't what it used to be.... by FishWithAHammer · · Score: 1

      That's not as funny.

      Color me disappointed.

      --
      "You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
    23. Re:Ain't what it used to be.... by skarphace · · Score: 1

      Yeah, they use this funky 'service' command instead of the one true way: hand-running the script in /etc/init.d

      Running a daemon as a service keeps it monitored. If the service failed for any reason, it's restarted. Totally hands-off for the admin.

      (That is, if it has the same behavior as svscan as I recall...)

      --
      Bullish Machine Tzar
    24. Re:Ain't what it used to be.... by houstonbofh · · Score: 1

      You have to have been involved when it occurred. There is a reason -f is skip fsck, not just fsck. We knew what it meant, but we had to have something to put in the manual.

    25. Re:Ain't what it used to be.... by FishWithAHammer · · Score: 1

      Before my time; I had a XENIX machine in the early 90's, but I was five years old when I got it and switched to DOS/Windows not long after. Only got back into Linux around 2000 or so.

      Care to elaborate? :-)

      --
      "You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
    26. Re:Ain't what it used to be.... by houstonbofh · · Score: 1

      You have to go back to the old Sun OS and BSD stuff of the 80s. http://en.wikipedia.org/wiki/SunOS The old Sun workstations (and sun workstations http://en.wikipedia.org/wiki/SUN_workstation ) were very popular at universities. Unix then was kind of a closed and open source. It was commercial, but everyone who bought the hardware had the source code. So patches commonly went beck in if they were good. When virtual memory started extending shutdown times, some shorter commands were needed. Especially when there was an environmental reason to shutdown and save your work NOW. I am not sure, but I think "shutdown -rfn" was actually in common use before fsck was.

      Funny, now that I look back... Early VMS and Unix was a community a lot like modern open source. Probably because it started with a lot of the same people, and GNU was cheaper.

  5. All versions of Bind 9? by Yvan256 · · Score: 2, Funny

    Good thing I'm using FreeDOS!

    1. Re:All versions of Bind 9? by tygerstripes · · Score: 5, Funny

      But it's a DOS vulnerability!!! Sheesh, read the title...

      --
      Meta will eat itself
  6. At least someone agrees that BIND 9 had issues... by bogaboga · · Score: 2, Interesting

    According to this document, BIND 9 has issues including being monolithic, having a "Bad Process Model", Hard to Administer and Hard to Hack. That's not a good reputation to have.

    To some extent, these issues apply to everything Linux save for the last point. I am waiting for the time these points will not apply to Linux and its associated software.

    I must say that understanding BIND's configuration file was not that easy for me at first but after trying several times, I can say I am almost an expert. Things can be made simpler though. A text based interactive system could be of a lot of help. Tools like Webmin come in handy too though they require that a system be running initially.

  7. Only effective against MASTERS... by Olmy's+Jart · · Score: 5, Informative

    From the advisory: "Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert."...

    So an obvious workaround is to only expose your slave DNS servers and to not expose your master server to the Internet. That's part of "best common practices" isn't it? You have one master and multiple slaves and you protect that master. Come on, this is pretty simple stuff. Just simple secure DNS practices should mitigate this. Yeah, if you haven't done it that way to begin with, you've got a mess on your hands converting and it's easier to patch. But patch AND fix your configuration.

    1. Re:Only effective against MASTERS... by jurv!s · · Score: 1

      agreed. ++

      --
      sigs are for fools and trolls. no signature is *always* appropriate. you should turn them off in your preferences.
    2. Re:Only effective against MASTERS... by Jurily · · Score: 1

      That's part of "best common practices" isn't it?

      Two posts up there is someone mentioning a reboot to solve this. Best practices seem like rocket science around here...

    3. Re:Only effective against MASTERS... by totally+bogus+dude · · Score: 1

      Hmm, both of my public servers are 'masters' because the zones are synced via rsync over SSH from an internal server which actually has the master copy of the zones. However as far as bind is concerned, they public-facing ones are masters.

      I could potentially trick it into thinking it's a slave zone but seems too fiddly/risky, so I'll just wait for it to be patched. Nagios will tell me if they stop working, anyway.

    4. Re:Only effective against MASTERS... by Olmy's+Jart · · Score: 1

      Perhaps you should rethink that mistake and create a real "master" and make them "slaves". The system was designed this way for a reason. It baffles me why people do things this this way.

    5. Re:Only effective against MASTERS... by raddan · · Score: 4, Insightful

      Because lots of people don't want intruders being able to affect the actual zone data in case an outward-facing DNS server gets compromised. Using SSH to transfer zone data is much easier and more secure than BIND's own zone transfer mechanisms (e.g., you can automate and schedule them), and you don't have to worry about zone transfers through firewalls. Troubleshooting all the weird crap that can happen between different DNS daemons all supposedly doing regular AXFRs is a real pain in the ass. SSH makes life easier.

      If having a DNS machine on the Internet that thinks it is a master really is a mistake, when then, BIND9 is a piece of shit. This is the most straightforward thing a DNS daemon should be asked to do.

      Nowhere in BIND's manual does it say people have to use BIND in a master/slave setup.

    6. Re:Only effective against MASTERS... by totally+bogus+dude · · Score: 1

      I do it that way mostly because I didn't previously consider "type master" to be a potential vulnerability (they don't have dynamic DNS or anything fancy enabled). Maybe it is time I looked into djbdns, now that it's no longer a pain in the ass to install.

      As for not using the built-in zone transfer method, that's partly because I don't particularly like it, but mostly because I don't see any reason to allow access to our internal hosts from our DMZ unless absolutely necessary -- and this is not a case where it's "absolutely necessary". My own sync mechanism ensures that all transfers are initiated from the internal host rather than from an untrusted public facing server, and the content DNS servers are always up to date.

      Having a play now, it seems pretty feasible to configure it as a slave but not use bind's zone transfer mechanism, using 127.0.0.1 as the master. The only issue is almost all my domains were immediately considered expired since the zones are only updated when they're actually changed. I can sort of work around that by setting the expires time really high, but it appears to now be used as the time to cache NXDOMAIN results which could have some unpleasant side effects. It seems touching the zone file solves that... so maybe I can schedule a job to touch them and reload bind each day?

      I guess it's doable, but it seems like a lot of hoops just to avoid the software's built-in stupidity. Maybe it really is time to switch to something else. Thanks for the advice.

    7. Re:Only effective against MASTERS... by psyclone · · Score: 1

      Copying zone files over ssh means you then have to rndc reload/reconfig every time you change a single A record.

      With a "normal" hidden master + slaves setup, at least you can send Notifies which will cause the slaves to query the master and update the zone without a reload. Also, this is the only sane way to provide secondary DNS for a trusted third party.

      If you have a lot of zones, it can take a while to reload bind. If you only have a handful of zones, and you don't do secondary DNS, I'm sure reloading is quick.

    8. Re:Only effective against MASTERS... by kju · · Score: 1

      There is no need to reload all zones. You can easily detect which zonefiles have changed since the last reload and do "rndc reload ".

    9. Re:Only effective against MASTERS... by totally+bogus+dude · · Score: 2, Informative

      As kju responded, you can reload on particular zones if you want. The logs seem to suggest that bind itself only actually reloads the zones which have changed (i.e. mtime is newer than the last time it was loaded). I only get messages that it's loading every zone if I actually restart bind (stop and start), telling it to reload I only get messages about zones that have actually been changed.

      I haven't noticed any performance hit from doing a simple reload, but I only have 120 zones.

      If we were supplying secondary DNS for an (un?)trusted third party then yes I'd use bind's zone transfer mechanism. But we don't so it's not an issue - we only serve DNS for things we host/manage ourselves.

    10. Re:Only effective against MASTERS... by Fastolfe · · Score: 2, Informative

      So I'm responding not because I disagree with your conclusions, but I disagree with the logic you're using to justify them:

      Because lots of people don't want intruders being able to affect the actual zone data in case an outward-facing DNS server gets compromised. ...
      If having a DNS machine on the Internet that thinks it is a master really is a mistake, when then, BIND9 is a piece of shit. This is the most straightforward thing a DNS daemon should be asked to do.

      You start off with a reasonable statement (that you don't generally want compromised DNS servers to allow for the modification of data), but then you say bind9 is a piece of shit because it's a best practice that the masters (which hold the data) shouldn't be exposed to the public. Which is it?

      Using SSH to transfer zone data is much easier and more secure than BIND's own zone transfer mechanisms

      Would you care to elaborate on that? Doesn't TSIG secure zone transfers? TSIG is just as easy to set up as SSH keys are.

      (e.g., you can automate and schedule them)

      How much more automated can you make automatic zone transfers? What better scheduling of zone transfers than when the zones are modified?

      you don't have to worry about zone transfers through firewalls

      The only thing you need to open through the firewall is TCP and UDP port 53. Most firewalls make this easy, because "Serve DNS through the firewall" is a common configuration for firewalls.

      Troubleshooting all the weird crap that can happen between different DNS daemons all supposedly doing regular AXFRs is a real pain in the ass. SSH makes life easier.

      SSH makes life easier for someone that understands SSH, and does not understand DNS or firewalls.

      That being said, there are valid reasons you might not prefer to run a DNS master as the source for your slaves/shadow masters, and SSH might even be a good way to push your zone files out to those machines, but you have not provided any of those reasons.

    11. Re:Only effective against MASTERS... by Fastolfe · · Score: 1

      DNS queries are not encrypted, so if you believe the contents of your DNS zones should be secret, you'd better hope nobody queries them. You may be interested in TSIG, which can authenticate your secondaries to your master. If you'd prefer to store and manage your zone files "offline", pushing them out to one or more masters through SSH or something might be the right thing to do, but if you already have an internal master, and need to update some public-facing slaves/shadow masters, there's no reason to re-invent DNS zone transfers.

    12. Re:Only effective against MASTERS... by totally+bogus+dude · · Score: 1

      Well the SSH is only used a convenient transport mechanism, with a nice side effect of some kind of authentication that the host it thinks its transferring the data to really is that host. But all the transfers happen through our internal network anyway, so it's not really important. The reason it's preferred is because the internal server connects to the DMZ server, rather than the other way around. We try to avoid letting DMZ hosts contact internal servers whenever possible, under the assumption that the DMZ server will one day be controlled by someone we don't like. That's why it's in a different network segment, after all.

      The internal master server doesn't actually run bind, though there's no particular reason it couldn't. The master puts together the zone files using an in-house templating system, then copies the internal versions to our internal resolvers (which also handle recursive requests for web browsing and so on), and copies the public versions to the public servers whenever I tell it to.

      As per the article, with this vulnerability access controls don't help. So if an attacker compromised our public servers, they'd be able to use this to shut down the internal server (since the slaves need to be able to contact the master). Not so bad since this is just a DoS, but what if it could be used to execute code? Now the internal server is trivially compromised using the same flaw that was used to compromise your public server.

      And what's the benefit? So we can avoid using "type master" in a config, which apparently doesn't just mean "don't try to update the zone from another server, your copy is fine and always accurate" but also means "and also do retarded things like process dynamic DNS update packets even if it's not enabled"?

      Fair enough, no software is perfect and we always have to do stupid workarounds for stupid features -- it's part of the job. But I still reserve the right to bitch about it. And I think I will switch to different, less "featureful" software. Though with the aforementioned templating system we're moderately invested in the bind zonefile format so will need to use something compatible with that.

    13. Re:Only effective against MASTERS... by coolgeek · · Score: 1

      This might help too.

      --

      cat /dev/null >sig
    14. Re:Only effective against MASTERS... by Fastolfe · · Score: 1

      Clearly, there are differences between "slave" and "master" in BIND's logic, but from a practical perspective, what's the difference?

      You're absolutely right: a compromised server can't be trusted to give faithful replies, regardless of how bind has it configured. I think the recommendation to not run your primaries exposed is intended to protect the zone data itself, not the queries served by the machine (though, in theory, that's what DNSSEC is for). Many DNS configurations involve a single machine that acts as a DNS master, and on that machine are the only copies of the "live" zone files. If that machine gets compromised, it requires a fair bit of manual effort to recover the zone files from backups, replay any updates that needed to be made, and return to service.

      In more complex setups (such as yours), the live zone files are not stored exclusively on the masters. They come from Somewhere Else (a config repository, LDAP, whatever), and you need some sort of out-of-band process to get the data to the DNS masters to be served. SSH/rsync/whatever are perfectly fine ways to do that OOB transfer. But for most setups, the simplistic configuration makes the most sense, especially if you have to deal with dynamic updates, where it may be difficult to propagate changes back to your config repository.

      TSIG doesn't offer us anything that SSH doesn't.

      Which is essentially what I was trying to say: TSIG and SSH solve the same authentication problem, so if your source is a DNS server, and your destination is a DNS server, why reinvent zone transfers?

      The next time I mention something about the way I run my network, I'll make sure my explanation is up to your standards. Sheesh.

      Run your network however you prefer! Just don't advocate for your design, and rail against more common configurations and their associated best practices, using reasons that do not support your arguments. You have valid reasons to run your systems the way that you do, so use them to justify your design, but be aware that they do not extend to cover other configurations.

    15. Re:Only effective against MASTERS... by Fastolfe · · Score: 1

      We try to avoid letting DMZ hosts contact internal servers whenever possible ... The master puts together the zone files using an in-house templating system

      Both of these are great reasons to populate your masters with your zone data out-of-band.

      And what's the benefit?

      Dynamic updates become difficult if your masters get their data OOB, since they have no way of knowing how to propagate those updates back to the source. It just depends on your needs and your setup. For the majority (?) of configurations, having an inaccessible master doing zone transfers to exposed secondaries is perfectly reasonable. For more complex setups such as yours, it's not, but that design has its own set of costs.

    16. Re:Only effective against MASTERS... by psyclone · · Score: 1

      Reloading a zone is fine when you've changed an existing zone. I do this via: rndc reload ${zone} on the hidden master which sends notifies to the slaves.

      However, you must do a reconfig for bind to see new zones.

    17. Re:Only effective against MASTERS... by psyclone · · Score: 1

      Reloading a zone is fine when you've changed an existing zone.

      However, you must do a reconfig for bind to see new zones. (e.g. a list of zones is included from named.conf) Unfortunately, doing a full reconfig on > 120,000 zones takes awhile. (A few minutes at least)

      But yeah, on a simple setup like yours, stick with ssh. You don't have to setup rndc keys, and you keep your configs much simpler, hence bind is more secure. And a reconfig happens in seconds with only a few hundred zones.

  8. For goodness sake upgrade.... by syousef · · Score: 4, Funny

    ...to Windows! DOS is just so 80's and 90's it's not funny.

    (Suggested mod: +1 funny)

    --
    These posts express my own personal views, not those of my employer
    1. Re:For goodness sake upgrade.... by syousef · · Score: 1

      Si, creo que tres o cuatro seria mucho mas moderno.

      I' m apesadumbrado, no hablo español (solamente me utilice Babelfish)

      --
      These posts express my own personal views, not those of my employer
    2. Re:For goodness sake upgrade.... by Sicarul · · Score: 2, Funny

      hahaha automatically translated Spanish is so funny (Spanish is my mother language) Though, i don't know what he meant, he said "Yes, i think three or four would be much more modern"... i don't see how it applies to it's previous post... three or four windows? O.o

  9. Re:At least someone agrees that BIND 9 had issues. by Anonymous Coward · · Score: 1

    Difficult compared to what? DJBDNS is much more difficult to wrangle. It's really not that bad if you attempt to learn it.

  10. djb by dickens · · Score: 4, Funny

    Somewhere I think djb is managing to both smile and raise his eyebrows simultaneously.

    1. Re:djb by siddesu · · Score: 1

      came for the djb mention, leaving satisfied.

      / yes, I am.

    2. Re:djb by rs79 · · Score: 1

      Praise be to Dan and may peace be upon him.

      --
      Need Mercedes parts ?
    3. Re:djb by Anonymous Coward · · Score: 1, Informative

      None of that changes the fact that his software is several orders of magnitude more secure than the competition.

      Him being an asshole doesn't change any of that and the constant harping on about it smacks of resentment and an inferiority complex.

    4. Re:djb by __aaxwdb6741 · · Score: 1

      I considered using djbdns until I stumbled across his inflammatory and borderline-fanatic attitude against BIND. What the hell, man? It's just a DNS server. Get over it.

    5. Re:djb by dickens · · Score: 1

      I use his software even though I do know that he has some strong opinions, and probably some ridiculously strong opinions. He's not a politician, it's clear.

      The stuff is beautifully simple. Qmail too.

  11. LDAP based Zone updates by Zombie+Ryushu · · Score: 1

    This is a reason why I want to be able to do LDAP based zone updates.

    1. Re:LDAP based Zone updates by Olmy's+Jart · · Score: 1

      How would that help with this? You don't even need dynamic updates enabled for this to be exploited.

  12. Servers behind Firewalls by Bilbo · · Score: 2, Insightful

    It's unlikely that, if you're running a DNS server inside of your private network, someone on the outside is going to be able to hit it. But then, like all other vulnerabilities, you combine this one with a couple of other attacks (such as a non-privileged login), and all of the sudden you've got something really dangerous. :-(

    --
    Your Servant, B. Baggins
    1. Re:Servers behind Firewalls by Olmy's+Jart · · Score: 2, Insightful

      A server behind a firewall does not imply a server on a private network. You can have firewalls in front of a DMZ on a public address providing services. Firewalls are used for much more than merely "private networks". Those are two orthogonal issues.

      OTOH... A master on a private network providing zone feeds to slaves on various other networks (firewalled or not) on public addresses would be a very good idea.

    2. Re:Servers behind Firewalls by Antique+Geekmeister · · Score: 1

      Please remember that most "private" networks aren't. They have laptop or VPN access to potentially compromised hosts, which may insert attacks from behind your typical firewalls. I've had considerable difficulty explaining this to management who have, effectively, been lied to for years by their own staff who refuse to accept responsibility for the existing insecure mess, and who are uninterested in the unglamorous and unpopular work of fixing it.

    3. Re:Servers behind Firewalls by Bilbo · · Score: 1

      Good point, especially since it is claimed that even servers which are not configured to accept dynamic updates are still vulnerable.

      --
      Your Servant, B. Baggins
  13. Re:At least someone agrees that BIND 9 had issues. by profplump · · Score: 5, Informative

    Recent versions of BIND (8+) are not terrible to administer, and have much more reasonable data files. Older version were *really* nasty, and had a data file format so complicated that we invented a dedicated zone-transfer mechanism just so people could send DNS data to each other.

    And while djbdns uses an unconventional admin system with lots of environmental variables, that's a one-time setup (that is probably done in large part by your package manager) and the actual data files are dead-simple -- plain text, one record per line, can do DNS lookups at build time, can concatenate files, etc. There are valid complaints to be made about djbdns, but I don't think "difficult to wrangle" is one of them.

  14. No need to restart bind after updating using yum by dusanv · · Score: 2, Informative

    It gets restarted automatically. Check system.log.

  15. Okay, I read the ISC alert. by mmell · · Score: 1, Troll
    They're right. This is a major exploit, especially in view of the fundamental nature of name services to the internet. With repeated application (or by combining with DDoS techniques) I could see holding an entire domain down for an extended period of time. Now, then . . .

    Only a fool would configure public-facing DNS servers as masters, although I've seen it done. Only the king of the land of fools would put his domain's real DNS master on a public-facing network. Thus, only domains administered by fools should be directly affected. Darwin for teh win!

    1. Re:Okay, I read the ISC alert. by Tetch · · Score: 1

      > Only a fool would configure public-facing DNS servers as masters

      While I must agree with your basic assertion here [if not BIND's :-)], something that is often disregarded by non-security folks is that security threats can arise from within the organisation ...

      It only takes one malicious employee to bring in an attack tool from outside - I haven't seen any exploit PoC code for this, but such a tool might consist of 100 lines of C and a C compiler.

      --
      If you don't pray in my school, I won't think in your church.
    2. Re:Okay, I read the ISC alert. by mmell · · Score: 1

      It's the same old story - the only truly secure system is disconnected from tne network, powered down and disassembled - and even then, I wouldn't bet my life on it to be absolutely secure!

    3. Re:Okay, I read the ISC alert. by Akatosh · · Score: 1

      Only a fool would configure public-facing DNS servers as masters

      At a minimum you're going to be 'type master' for localhosts forward and reverse and broadcast zones as per rfc1912. You're also going to be master for rfc1918 space if it's a recursive name server. The word 'master' in the context of this bug is the bind configuration option 'type master', present in ?all? bind configurations, not the name server that controls updates to others.

    4. Re:Okay, I read the ISC alert. by Akatosh · · Score: 1

      Yes and no. Riddle me this: are your isp's recursive name servers public facing? The internal network in this case is a public network, and a malicious virus infested one at that.

  16. Pray it comes back by russlar · · Score: 1

    # yum -y update && shutdown -r now

    and pray to FSM that it comes back up.

    --
    Anybody want my mod points?
  17. Always do a reboot test ... by ZeekWatson · · Score: 4, Insightful

    If you're running a serious server you should always do a reboot test after installing any software. I've been burned many times by someone doing a "harmless" installation only to find out 6 months later a critical library was upgraded with an incompatible one (a recent example is expat 2.0) and the server doesn't boot like it should.

    Always reboot! Even with the super slow bios you get in servers nowadays it should only take 2 minutes to be back up and running.

    1. Re:Always do a reboot test ... by DNS-and-BIND · · Score: 1

      So...with linux, you should always reboot upon applying any sort of application update. I weep for the future of our computing race.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    2. Re:Always do a reboot test ... by Vancorps · · Score: 2, Interesting

      Why? You're DNS servers are clustered and load balanced right? rrright? Those of us that need our infrastructure up don't think twice about rebooting even during the day! A golden age we live in indeed when I can just take the server out of the load balancer rotation, apply updates, perform reboot rest, and then put it back into rotation repeating the steps for all servers in the cluster.

    3. Re:Always do a reboot test ... by MrMr · · Score: 1

      I wouldn't consider a simple parser that replaces a critical library a 'harmless' installation.
      Please tell which repository managed to mess up that badly, so I can steer away from it in the future.

    4. Re:Always do a reboot test ... by sago007 · · Score: 2, Insightful

      If you're running a serious server you should always do a reboot test after installing any software.

      You should obviously wait to outside working hours in case it actually breaks something.

      If you apply an update over ssh you should test that you can create a new ssh connection before you disconnect the first one.

    5. Re:Always do a reboot test ... by dbIII · · Score: 1

      It's what nights, weekends or redundant systems are for. It's not as if you make major changes every week to things that might muck up the startup sequence.

    6. Re:Always do a reboot test ... by SinShiva · · Score: 1

      sync and restart the service, moron

  18. OMG... by Garion911 · · Score: 5, Interesting

    I reported a bug *very* similar to this back in Oct, and only now its coming to light? WTF? I submitted this back in january and it was rejected. Ah well. Here's my page on it: http://garion.tzo.com/resume/page2/bind.html

    --
    Slashdot is like Playboy: I read it for the articles
  19. Re:At least someone agrees that BIND 9 had issues. by Anonymous Coward · · Score: 1, Informative

    Recent versions of BIND (8+) are not terrible to administer

    Try configuring dynamic DNS through nsupdate with a shared secret.

    If you have an NS key, you can specify the key on the command line, or you can store the key in a file, and pass the filename.

    The former is a security risk (as anyone running 'ps' can see your key). The latter? Well, someone decided that it would be a good idea to hard code metadata in the filename (even though the same metadata must be present inside the file too.) Oh, and you need two files, even though it's only using one. Oh, and you need to name the key the same as the zone in your named.conf.

    Considering that I've only ever seen that level of idiocy from first year comp-sci majors, I have to wonder at the technical competence of the people in charge of writing BIND.

  20. Re:I have my own "patch", called a HOSTS file... a by ShakaUVM · · Score: 1

    Your post reads like you'll ask for $20 to show people how THEY TOO CAN SET UP A .HOSTS FILE.

    Just saying.

    Also, your approach is stupid because I like to use the internet.

  21. There's no place like 127.0.0.1 (click) There's no by Nefarious+Wheel · · Score: 1

    Don't forget to set your hosts file to read only. There's bastards out there who will rewrite it for you. Ads. I have a huge hosts file too. But it's mostly for homing out annoyances. Tip: Use Notepad++ for editing your hosts file instead of standard Notepad. The former preserves the lack-of-extent Hosts requires. The latter adds .txt, and you're stuck shuffling file names around. Nice little editor, too.

    --
    Do not mock my vision of impractical footwear
  22. iptables to the rescue by kju · · Score: 5, Informative

    For a quick "fix":

    iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'

    Will block (all) dnsupdate requests.

    1. Re:iptables to the rescue by noidentity · · Score: 1

      For an even quicker fix (works for any vulnerability):

      disconnect network cable(s)

    2. Re:iptables to the rescue by discogravy · · Score: 1

      that blocks all updates, including legit updates. If you're running a server that needs to process non-malicious updates, your best bet is to run a hidden-master/public-slave combination of servers (the attack doesn't work on slave zones).

      --
      FreeBSD for the impatient.
    3. Re:iptables to the rescue by kju · · Score: 1

      I wrote that it blocks all updates.

  23. Re:I have my own "patch", called a HOSTS file... a by hairyfeet · · Score: 3, Insightful

    Sounds like a lot of work when you can just run Treewalk DNS and be done with it.It is fast, uses very little resources (mine is using 5Mb ATM) and never gives a bit of trouble.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  24. Will CentOS 4 be updated? by inject_hotmail.com · · Score: 1

    Does anyone know if CentOS 4 will have an update for BIND to ver 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1?

  25. Re:I have my own "patch", called a HOSTS file... a by shentino · · Score: 1

    Any ISP's DNS that mucks about with NXDOMAIN is by definition not standard.

  26. Re:0 is smaller & F A S T E R, than 127.0.0.1. by shentino · · Score: 1

    Is it faster for 0.0.0.0 to give you nothing or for 127.0.0.1 to give you a connection refused?

  27. Re:I have my own "patch", called a HOSTS file... a by rs79 · · Score: 1

    " Your post reads like you'll ask for $20 to show people how THEY TOO CAN SET UP A .HOSTS FILE "

    Still cheaper than a $35 domain from Verisign.

    --
    Need Mercedes parts ?
  28. Re:Your point is.... what? by shentino · · Score: 1

    Just like I said in my post, I'm talking about ISPs (lookin at YOU charter...) that supply a malicious DNS server.

  29. Re:At least someone agrees that BIND 9 had issues. by rs79 · · Score: 2, Informative

    " Older version were *really* nasty, and had a data file format so complicated... "

    Rememeber that this was a product of the early 1980s; Brian Reid, Director of Digital Equipment Corporation's Network Systems Laboratory ("decwrl.uucp") hired a kid, Paul Vixie, to take the buggy Berkley B-tree code and turn it into something resembling professional software. At the time even C was not even close to ubiquitous, Assembler was though and in fact the great majority of code written for the early microprocessor based systems of that era was written in assembly.

    So it should not be any great shock that bind config files looked like assembly code, or that the later versions looked like C.

    Frankly I found the earlier bind config files much easier to use, and the djbdns config files even easier (once you get used to them) to use, and (much) more importantly, you can write a program to manipulate these datum very easily. It's ugly and complicated with bind data files of any version.

    --
    Need Mercedes parts ?
  30. Still using BIND...? by bagsta · · Score: 1

    Come on people, still using BIND? Why don't you use djbdns? It's easier to use and has a guarnatee!!!

    --
    Until the skies turn blue...
    Until the air of freedom strikes us...
  31. Re:No need to restart bind after updating using yu by palegray.net · · Score: 1

    While this is true for CentOS (RHEL) and Debian-based distros, it's not universally true for others.

    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
  32. Try alternatives by frn123 · · Score: 1

    There are excellent alternatives to bind.
    For example, i have been using nsd for years.
    Super easy to configure. Lacks recursive
    resolver tho..

    http://www.nlnetlabs.nl/projects/nsd/

  33. Smug by TheLink · · Score: 3, Funny

    Smugness to spare? My smugness was overflowing more than BIND9 buffers.

    Great opportunity to vent some smugness today :).

    --
  34. Re:god they should learn programming by gd2shoe · · Score: 3, Insightful

    It could have been worse (and no, I haven't read the article yet). Failing an assertion means that they actually wrote an assertion that did it's job. It's impossible to know without reading the code, but this might have been a remote code execution exploit if they hadn't.

    --
    I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
  35. Re:Why waste CPU cycles on that vs. HOSTS though? by erikdalen · · Score: 1

    You should really read up on data structures, using a hash map which I guess most DNS-servers use is a LOT faster than searching through a hosts file.

    --
    Erik Dalén
  36. Re:god they should learn programming by rolfc · · Score: 2, Informative

    I am already updated. Thanks to Debian.

  37. Poor coding by julesh · · Score: 2, Interesting

    Why on earth is BIND shipping with assertions that cause the entire server to exit when they fail? They should just cause processing of the current request to exit.

    1. Re:Poor coding by Ethanol · · Score: 1

      BIND 9 has had a lot of DoS vulnerabilities because of its many asserts. (Addressing this is a goal of BIND 10, actually.) But BIND 9 has had, as far as I know, zero remote code execution vulnerabilities. So the asserts are doing their job.

  38. Re:At least someone agrees that BIND 9 had issues. by MrMr · · Score: 1

    BIND is not a typical Linux application. It was developed at Berkeley and shipped with BSD Unix, and later also with Windows.
    Not a very clever bit of trolling.

  39. Master for "localhost"? by sa3 · · Score: 2, Interesting

    You may hide your master DNS servers but your slaves are probably still master for "localhost".

    1. Re:Master for "localhost"? by DaemonDazz · · Score: 1

      +1 spot on

  40. roflcopters by justinlee37 · · Score: 1

    So, basically, the program can be crashed by a specially-crafted malicious update package, and the designers of the program are asking you to update the program in order to shield yourself from exploitation by updates.

    I think there's a joke in there somewhere. Anybody want to give it a shot?

  41. Re:There's no place like 127.0.0.1 (click) There's by smoker2 · · Score: 1

    Tip: Use Notepad++ for editing your hosts file instead of standard Notepad. The former preserves the lack-of-extent Hosts requires. The latter adds .txt, and you're stuck shuffling file names around.

    No it doesn't. Why do you lie ?
    If you create a new file it will append .txt . You can open the existing hosts file by right clicking and selecting "open with" and then choose notepad. It doesn't append .txt to an existing file name.

    I don't generally care anyway, as I can vi /etc/hosts which is much quicker than trying to remember where MS hid the file on their OS.

  42. Why not ? by bytesex · · Score: 1

    Time to let go of that ancient rule that ports under 1024 are root-only.

    --
    Religion is what happens when nature strikes and groupthink goes wrong.
  43. Re:It's because it works, & I believe in every by ShakaUVM · · Score: 4, Funny

    My approach isn't stupid in regards to that. Free? That's a "pretty good price", wouldn't YOU say? And, you're also FREE to customize it, & thus, YOUR PERSONALIZED VERSION OF A CUSTOM HOSTS FILE, JUST GOES ALONG WITH YOUR PERSONALIZED SPED UP & SAFER VERSION OF THE INTERNET... &, just as YOU see fit & like, easily. Notepad.exe for instance? My gosh - lol, just "does wonders" here, on this account... lol!

    Are you the ghost of Billy Mays?

  44. Asserts... by LSD-OBS · · Score: 1

    And this is why asserts should *never* go into production builds of any project. It's fine to have asserts in your debug build, but ALWAYS deal with the unexpected case immediately after your assert (which should be compiled out in release mode).

    If you have no way of throwing an error and handling it gracefully back up your call stack (no, you don't always need exceptions for this), then you've done a shit job!

    --
    Today's weirdness is tomorrow's reason why. -- Hunter S. Thompson
  45. Re:It's because it works, & I believe in every by Fizzl · · Score: 1

    May I have your contact information? I would like to hire you next time I need to write a come-on for an item I'm trying to peddle :P

    --
    Bot Assisted Blogging
  46. Re:There's no place like 127.0.0.1 (click) There's by jimbob666 · · Score: 1

    Tip: In Notepad.exe if you surround the filename and extension with quote marks (") on your new file it will keep the extension and not append .txt

  47. Re:god they should learn programming by num42 · · Score: 1

    it's not an article but a security advisory. meaning _if_ you run BIND9 somewhere please do read it. ;-)

    --
    "morning is a state of mind ;)"
  48. Re:There's no place like 127.0.0.1 (click) There's by Nefarious+Wheel · · Score: 1
    I do not lie. It appends .txt when you save it, not when you open it. Duh?

    Isn't 0.0.0.0 the broadcast address? Likely blocked by your router then. Comma si, comma sa.

    It's generally in c:\windows\system32\drivers\etc

    --
    Do not mock my vision of impractical footwear
  49. Re:There's no place like 127.0.0.1 (click) There's by MinistryOfTruthiness · · Score: 1

    Notepad doesn't change the names of existing files, but it does seem to like to force the .txt on new files that it creates.

    I don't think 0.0.0.0 is the broadcast address. The only time I've ever seen it used is in combination with a /0 netmask to stand for "all addresses" e.g. 0.0.0.0/0 I believe the broadcast address is generally the last IP in the subnet, so if you're on 192.168.1.0/24, your broadcast would be 192.168.1.255.

    I'm no network guru, so maybe I'm off a bit too, but I think I'm closer. I'm sure others will be more than happy to correct me. :-)

    --
    "I know that every word that man just said is true, because it's EXACTLY what I wanted to hear." -- Space Ghost
  50. who cares... by godrik · · Score: 1

    ... about a security flow in MS DOS nowadays ?

  51. Re:duuuuude by flibuste · · Score: 1

    Duuude, by the time you setup your host file for all the sites you visit, the Internet age will be gone....Talk about "FAST".

  52. TCP or UDP? by yuna49 · · Score: 1

    I can't tell after reading the ISC release and various other documents how this exploit takes place. I have a machine with UDP port 53 publicly visible, but TCP port 53 is firewalled off against all IPs except the machines under my control. Is this a UDP or a TCP exploit?

    Someone above posted an iptables rule that applied to UDP port 53. Is that correct?