Potential 0-Day Vulnerability For BIND 9

Morty writes "BIND, the popular DNS server software, has been crashing all over the Internet. The root cause is believed to be a 0-day vulnerability in BIND's resolver. The ISC has issued an alert. Quoting: 'An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached. At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.'"

To the Red Phone!

Alert DJB at once!

10 years ago

[ghn]

I had to choose which DNS server I would deploy on my servers. I went for TinyDNS as it had all the same features and security promises. Man am I glad to have considered security over popularity.

Re:10 years ago

[Compaqt]

Another small DNS server is MaraDNS. It's considered a good alternative to BIND.

Being a lot smaller, it's easier to secure.

If you're just running a DNS cache on your desktop, check out dnsmasq. Click to install(Deb/Mint/Ubuntu)

Re:10 years ago

[janeuner]

It's hard to go wrong with DJB*.

Re:10 years ago

[afidel]

Unless you have to actually work with him.

Re:10 years ago

[Compaqt]

Wasn't there some sort of license problem with DJB stuff? Like the slowness of Java applets in the early 1990s, I don't think Slashdotters will let him live that down.

Re:10 years ago

[19thNervousBreakdown]

I don't know about his DNS server, but qmail had some goofy license that meant everything was just a series of patches.

He's since released it into the public domain though.

Re:10 years ago

[Above]

This particular vulnerability applies only to BIND9 operating as a recursive resolver. BIND9 operating in authoritative mode, similar to how TinyDNS operates, is unaffected. Had you properly deployed BIND9 for the same purposes you are using TinyDNS you would not had been impacted by this issue.

Re:10 years ago

He had no license, believing that having no license and no copyright meant it was in the public domain. US law says otherwise, and DJB disagreed. Unfortunately, that put the software in limbo.

Eventually, a license permitting distribution of unmodified source was added. This, of course, meant compiled versions and built-in tweaks to make it work with certain compilers (like GCC) and distributions were not permitted to be distributed. Patches were granted as an exception. Distributors were too lazy to build an auto-patch system.

So, eventually DJB just decided, fuck it, here, just do whatever you like with it and that he'd comply with US law.

Re:10 years ago

what the fuck are you talking about "comply with US law"? no reason at all anyone involved needs to have license headers in those stupid source files.

Re:10 years ago

[swalve]

Agreeing with dnsmasq. Bit of a bitch to set up just right, but I've got it working now running my firewall/router.

Re:10 years ago

[gmack]

Better yet use Unbound resolving only nameserver since it supports signed zones.

Re:10 years ago

[ghn]

I was referring to DJBDNS in general and not just the authoritative TinyDNS program. I was also speaking of BIND's security history in general, not only this specific issues.

Re:10 years ago

unbound is very nice for recursive DNS too.

many more features than djb, and currently maintained.

Mara had scalability issues in its recursive code (separate thread per query), which made it unsuitable for large installations. Yes, there is now a version to address this, but it wasn't stable when we swapped out djb.

Re:10 years ago

[gmack]

The major problem with Qmail was it's design simply didn't take into account the possibility of a bad return address. The downside was that it couldn't bounce during reception and so was forced to generate a bounce message instead and not only did spammers plug up the queue with bad messages, it ended up being used for reflector attacks where the attacker set the target's address as the return and sent messages that would bounce to many different servers. The whole problem ended up being so bad that many that many mail admins considered servers running Qmail to be almost as bad as an open relay and there were people who actually maintained blacklists of servers running Qmail and that was right about when I stopped using it but I hear there have been patches to fix the worst of it's flaws since then.

In short: it was secure for only some definitions of secure and for everything else DJB ignored the problem.

Re:10 years ago

[X0563511]

Glad to know I'm not the only one who thinks DJB makes no sense at all. Every time I see it it takes me half a freaking hour to figure out how to update a zone.

Re:10 years ago

The downside was that it couldn't bounce during reception and so was forced to generate a bounce message instead

What you describe is a general drawback for reliable mail delivery: either the mail gets through, or it doesn't. That it didn't do recipient checking at RCPT time is a tradeoff made to make qmail secure and modular and to best implement per-user extension addressing.

qmail isn't alone in this: Godaddy's custom MTA does the exact same thing.

and not only did spammers plug up the queue with bad messages, it ended up being used for reflector attacks where the attacker set the target's address as the return and sent messages that would bounce to many different servers.

Theoretically, that is possible. In practice I haven't seen spammers use that mechanism.

The whole problem ended up being so bad that many that many mail admins considered servers running Qmail to be almost as bad as an open relay and there were people who actually maintained blacklists of servers running Qmail and that was right about when I stopped using it but I hear there have been patches to fix the worst of it's flaws since then.

A lot of people are irrationally against djb in any way. He's become like the president, every time something goes wrong people blame him. Those blacklists you speak of are less about addressing an operational problem and much more about irrational dick waving.

Re:10 years ago

[gmack]

and not only did spammers plug up the queue with bad messages, it ended up being used for reflector attacks where the attacker set the target's address as the return and sent messages that would bounce to many different servers.

Theoretically, that is possible. In practice I haven't seen spammers use that mechanism.

I used to run qmail and I have seen it used for that.

The whole problem ended up being so bad that many that many mail admins considered servers running Qmail to be almost as bad as an open relay and there were people who actually maintained blacklists of servers running Qmail and that was right about when I stopped using it but I hear there have been patches to fix the worst of it's flaws since then.

A lot of people are irrationally against djb in any way. He's become like the president, every time something goes wrong people blame him. Those blacklists you speak of are less about addressing an operational problem and much more about irrational dick waving.

It's not irrational if you observe a problem only to be ignored. As I said earlier I used to run Qmail and I did so because of it's security benefits and while Qmail didn't get my box rooted the same way sendmail did, it still had it's problems. I have since moved to postifx and now have a que of 0 to 10 messages instead of the 300 to 1000 I had under Qmail despite the fact that I have 3x the number of domains and 5x the number of messages than I did before.

Re:10 years ago

Here is a link to an earlier exploit and BIND config changes which should have pushed most towards disabling unrestricted access to DNS recursion.
http://security.freebsd.org/advisories/FreeBSD-SA-08:06.bind.asc

Note -
If you run a mail daemon on the same system as BIND then you'll also want to add localhost (127.0.0.1) to the ACL list of allowed hosts. Otherwise it will reject mail with "Domain of sender address ... does not exist". You can test this by doing "nslookup -type=mx google.com" and it should return a valid, non-authoritative answer instead of : Can't find google.com.

Re:10 years ago

[powdered+toast+dude]

My understanding was while that he permitted source redistribution, he insisted that it be only distributed unmodified, and never binary distribution. He also generally refused to accept patches, apparently thinking his pristine work ought to be good enough for everyone. (It was good, but needed features as time went on.) This meant that any "improvements" could only be distributed as patches. As a result, only source-based distros had an easy time packaging it, since sources + patches + build instructions is how they do business anyway. Having no friends with the binary distros, it got little distribution. It also languished on the vine since no one could push improvements upstream. Apparently he subsequently released both qmail and djbdns into full public domain, which means in theory they could be packaged and distributed normally now. Unfortunately, it seems too late for it to matter.

Re:10 years ago

Sorry to hear that you aren't flexible enough to handle different kinds of software. I'm able to change A records in tinydns zones in seconds, just like I can do in BIND and Microsoft DNS.

Re:10 years ago

I used to run qmail and I have seen it used for that.

Logs and specifics? Every time I push, it always ends up being vague generalizations, or FOAF anecdotes, or cargo cult sysadmin wives tales.

I'm not denying that it isn't a possible attack vector, but it certainly makes a clumsy one, and in my experience I haven't seen people use my qmail servers to attack someone like that.

It's not irrational if you observe a problem only to be ignored.

A lot of well known open source developers have routinely "ignored" "problems" when what was happening was the result of a perfectly acceptable tradeoff. Yet djb gets a disproportionate amount of ire. Look at how this slashdot post about a BIND problem quickly turned into an occupy-djb's-e-lawn movement.

I have since moved to postifx and now have a que of 0 to 10 messages instead of the 300 to 1000 I had under Qmail despite the fact that I have 3x the number of domains and 5x the number of messages than I did before.

Doubtless that has to do with other configuration tweaks in the meantime.

Note that I am not using qmail much these days (Exchange now "handles" most of our mail needs, much to my grief), so I am not trying to be a fanboi, but I am trying to add some perspective.

Re:10 years ago

[Onymous+Coward]

I think GP was referring to how inflexible DJB the person can be. But certainly their comment could be used to refer to the software as well.

Not only did DJB reject the design and development practices that left BIND such a threat but he also rejected a number of usual conventions around software management/installation/licensing. In his defense, he did it because he believed the conventions were bad. His own version of things makes sense and works well, but it's definitely weird if you're coming new to it.

Re:10 years ago

[X0563511]

Yea, convention is overrated. We should all do things the way we want, back like the good old early 90s! Clearly things were better that way. Fuck standards and conventions.

Re:10 years ago

Good point! We should all go back to the conventional way of configuring mail transport agents, which is sendmail.cf!

</sarcasm>

Seriously, I am sorry you feel threatened by change. I hope Netscape 4 on Motif is still working well for you.

Re:10 years ago

[MaraDNS]

Let's not forget Unbound, which may be faster than MaraDNS's 2.0 recursive resolver. Then again, I just got some funding from a sponsor to work on speeding things up. Also, Unbound has DNSSEC -- something MaraDNS doesn't have.

And, of course, there is Power DNS, another excellent DNS server.

Then again, there's something to be said for being able to set things up using only a three-line configuration file and a 64k binary works nice for embedded places like OpenWRT where Unbound and PowerDNS won't fit.

- Sam

Re:10 years ago

[AvitarX]

I thought it was quite pleasant to setup.

I use it at work, where we have 2 sites connected with VPN (and each site with dnsmasq), and it works fantastically as a DHCP server, and dns server, allowing all computers to be accessed as computer.sitename

Re:10 years ago

[MaraDNS]

Don't get me wrong, djbdns is an excellent DNS server. Unfortunately, it hasn't been updated for over 10 years and, since then, three different security holes have been discovered the djbdns package, the root server list has been updated, errno has been changed to make Linux more thread safe (requiring a patch to compile it), and so on.

djbdns can work -- but it requires patching by hand or using an unofficial fork like Zinq (which appears to still be supported -- the last release was done this year).

(I can also murmur darkly about the fact that djbdns uses a circular queue instead of a LRU for its cache, its lack of a Windows port, its need to use external helper programs to configure the server, etc., but, then again, its core recursive binary is even smaller than MaraDNS 2.0's tiny recursive binary. And three security bugs in the last decade is better than the 13 security issues in MaraDNS I have had to patch against.)

Re:10 years ago

Has dnsmasq improved in code quality? Some years ago it was rather crap in quality, I'd be surprised if it's improved a lot since.

Re:10 years ago

Unfortunately, it hasn't been updated for over 10 years and, since then, three different security holes have been discovered the djbdns package, the root server list has been updated, errno has been changed to make Linux more thread safe (requiring a patch to compile it), and so on.

Please stop spreading FUD. There have been 0 remote security holes discovered in djbdns.

All your other points are valid, by the way (I should add that the way djbdns uses errno was never POSIX compliant anyway).

(I can also murmur darkly about the fact that djbdns uses a circular queue instead of a LRU for its cache

Profile, don't speculate.

its lack of a Windows port

Microsoft DNS lacks a Unix port, so it all evens out.

Re:10 years ago

[afidel]

I was referring to him as a person, the fact that some of his idiosyncrasies bleed over to his software is the least of the issues I have with him =)

Re:10 years ago

http://en.wikipedia.org/wiki/1989

Please skip to March 1st, first line. It's up to you if you want to educate yourself. Suffice it to say, on that date, if you wanted to release something public domain by not bothering to say it's public domain, you were not complying with the law, which, on that date, said that if you don't bother to say it's public domain, it is instead copyright.

Re:10 years ago

[MaraDNS]

Please stop spreading FUD. There have been 0 remote security holes discovered in djbdns.

Please lay off the crack, wake up, and smell the coffee. This kind of denial is flat-out dangerous.

I have a blog entry detailing the three security holes in djbdns and DJB paid the $500 security hole prize for djbdns years ago.

The most dangerous hole in an unpatched djbdns 1.05 install is the TCP "packet of death" that forces dnscache to restart (since SIGPIPE isn't caught by dnscache). I really should file a CVE for that security problem.

There is also CVE-2008-4392 as well as CVE-2009-0858; more information is in Debian's security page on djbdns.

Re:10 years ago

MaraDNS... if you do not look at the source code.... I'm sorry, but most of the recursive resolvers are a mess. I stopped using MaraDNS precisely because of utter mess in the source code.

Bind9 is by far still one the best recursive resolver. I do not use it for authoritative - for that I use nsd. Nsd was build as an authoritative DNS server. And if you actually read the source code of nsd vs. MaraDNS - you can read nsd and MaraDNS makes you go blind.

Re:10 years ago

[MaraDNS]

Your information is out of date; I completely, from scratch, rewrote the recursive code of MaraDNS starting four years ago with far cleaner code.

That code was declared stable over a year ago and looking at its source code won't make you blind.

- Sam

Re:10 years ago

Don't get me wrong, djbdns is an excellent DNS server.

to be nitpicking:
djbdns is a set of servers.
tinydns is the authoritative, non-recursive content dns server. of this, no security issues have been reported in the last 10 years.
dnscache is the recursive resolver over which some people argue that it might have a hole based on a dns protocol design flaw.
if you want both functionalities but do not want to dig into dnscache, you can also use tinydns and ie unbound together. yes, its that modular.
 

djbdns can work -- but it requires patching by hand or using an unofficial fork like Zinq (which appears to still be supported -- the last release was done this year).

plain wrong. it does not require patching. zinq is an effort to put many patches for the entire package together. it is still up to you to to RTFM on what these patches do. not understanding these topics would also imply that you should simply not run dns software for the better of the rest of the world.

Re:10 years ago

plain wrong. it does not require patching.

Bzzzzt. Wrong answer. It would be nice if djbdns fanboys would perform some basic research before regurgitating the same idiotic myths over and over again. Especially when said myths have already been refuted in the very same thread.

Re:10 years ago

[metrix007]

He believes his solution to be better than what a committee came up with and that he is perhaps smarter than them. I think he is perhaps right.

Re:10 years ago

[sentimental.bryan]

MaraDNS is a great little server

Re:10 years ago

[swalve]

I never looked at the code, but I've had no bugs and no crashes.

Re:Impossible!

[NoNonAlphaCharsHere]

Oh for fuck's sake, it's an assertion error. Get over yourself.

Re:Impossible!

[1s44c]

It's open source, and has had years to mature...so many eyes on it that this couldn't possibly happen.

We don't even know what is happening yet. Maybe it's just a DOS, maybe it's a potential exploit. What we do know is that no-one has any need to put recursive DNS servers on the internet unless they are running an ISP or a DNS service.

Re:Impossible!

[Capt+James+McCarthy]

As opposed to the years of paid professionals eyes on Windows?

Re:Impossible!

[Desler]

Although we do know that if this was in a Microsoft product you wouldn't be making such an excuse.

Re:Impossible!

[Nerdfest]

Of course it can happen, it's just less likely to have problems than software with only a few sets of eyes on it. In addition, I had patches installed on my linux machines this morning, before I was even aware the problem existed. How's that for turnaround.

Re:Impossible!

Devlopers should be liable up to the amount they charged you for the code, ie if the code fails to perform they have to give you a refund. It's wrong to demand payment for a product that doesn't work as it should (ie its broken).

Bind is given away free, and thus even if it fails, you've not paid for a broken product.

A confusing summary on /., let me try to do better

[Above]

BIND is written by Internet Systems Consortium aka ISC, a non-profit that does various public benefit things for the Internet. The summary links to an alert from the Internet Storm Center aka ISC, a project of the SANS Technology Institute. There is no relation between these two ISC's, in this case the first authors the software, and the second tracks vulnerabilities. I'm sure by using a link to SANS many people on /. who are not familiar with these two ISC's will get them confused.

The link in the summary also goes to a preliminary version of the advisory. The correct, full summary is available on Internet Systems Consortium's web site as CVE-2011-4313.

I also think the characterization as a "0-day" isn't quite right. To me at least a 0-day issue is a bug that can exploited to do something, and that is used by bad-actors before the vendor is aware and able to fix the issue. In this case the bug simply crashes the server; there's no remote root or other exploit, and at this time there is no evidence of bad-actors using this bug at all. Rather it appears something interesting (unusual, perhaps put there intentionally) appeared in the DNS, and it triggered a bug in the software.

Some historical context may help. BIND8, for those who used it, was a pile of poo. It had a huge number of security issues and other problems and was generally a nightmare for sysadmins. Many people stayed on BIND 4.9.x for a very long time because of the issues in BIND8. When ISC launched BIND9, they wanted to change this perception. The action relevant to this bug is that BIND9 was designed to be full of assertions and other checks in the code. The goal was to catch any badness early, and if it was uncorrectable crash in a predictable way. The thought was that crashing with a core dump where you can fix the problem is far better than running off with bad data that could eventually be used in some sort of remote-root exploit.

This issue is sort of the payoff of that philosophy. Rather than taking this bad data and giving a remote hacker access to the machine BIND9 caught it with an assert, logs a useful message and core dumps. This is a big part of why 0-day leaves the wrong impression with me, "denial of service vector" seems to perhaps be a more accurate description. Sure, we could have a lively debate about if crashing is preferred or not, but I think most of the administrators who lived through BIND8 prefer the BIND9 procedures.

Internet Software Consortium also offers support for BIND (and DHCP). I'm amazed how many people run large, production name servers on BIND yet don't have a cheap support contract. If you run BIND, rather than getting your alerts via /. look into a support contract so you get them directly from the vendor.

isc.org Slashdotted. Good job!

[L4t3r4lu5]

Hurrr, well done guys. Now nobody can download the patches.

Someone want to set up some mirrors?

Re:isc.org Slashdotted. Good job!

Just updated my Debian boxes with apt a few minutes ago... I suppose you could always grab the source from a distro and compile.

Re:isc.org Slashdotted. Good job!

[Sipper]

Hurrr, well done guys. Now nobody can download the patches.

Right now the ISC website is still responding.

At least some distributions have already incorporated the patches; for instance, for Debian upgrading simply involves doing an 'apt-get update', 'apt-get upgrade'.
If updated packages are available, it's generally better to get the packages for Bind9 from the distribution rather than recompiling.

However the "fix" in this case may not entirely fix the problem; the current repair withholds the DNS response and will keep Bind9 from crashing and shutting down, but they're not yet sure that there isn't another possible exploit involved. This means there will likely be a follow-on fix once they understand the actual exploit.

Re:isc.org Slashdotted. Good job!

[L4t3r4lu5]

So this is a patch to deliberately break the carefully constructed "graceful death" preventing a potential exploit?

Sounds like a GRAND idea...

Re:isc.org Slashdotted. Good job!

This is a patch to do the required cleanup to remove the offending data from the cache AND bypass the exception that caused the DoS.

Re:Open sores == fail

[NoNonAlphaCharsHere]

I can see this is going to be a long thread full of trolls about open source, but the fact of the matter is that an application "crashing" (really ABENDing) due to an assertion failure is actually a sign of software doing what it was designed to do. Assert statements are used to check for "impossible" conditions, and have the program scream and die if one is found. So what we have here is a careful programmer's backstop doing its job.

Re:Impossible!

[1s44c]

Although we do know that if this was in a Microsoft product you wouldn't be making such an excuse.

No excuse. This is a disaster and I'm not excusing it. However it doesn't affect most people who setup their systems right. ISPs, DNS service providers, and anyone who has to let random strangers on their network may well be in trouble with this.

Of course if this was Microsoft it would no doubt be an easy remote execution of arbitary code but only crazy people trust windows with something as critical as DNS in the first place.

Re:Impossible!

Funny, that is not the argument given whenever there is a problem with closed source. Then it is always 'the developers should be liable for any damages caused by the bug'.

Re:Open sores == fail

[1s44c]

Open sores software == fail. Once again full of security holes that the "many eyes" failed to spot.

Unlike windows which never has remote crashes or remote execution of arbitary code problems. Tell me does microsoft.com still block ping? Why is that again?

APK's monolithic hosts file

[Culture20]

APK's monolithic hosts file is looking pretty good at the moment.

Re:APK's monolithic hosts file

[itchythebear]

lol, +1 funny.

I'm actually kind of surprised he hasn't stopped by to grace us with his randomly spaced and bolded wealth of knowledge...

Re:APK's monolithic hosts file

[NoNonAlphaCharsHere]

You can almost hear his hysterical laughter, can't you?

Re:APK's monolithic hosts file

[gl4ss]

I actually went and downloaded a 16k line hosts file and started using that after seeing that post, you know just for trying it out.
some sites load up faster. I just googled for some file that had been updated last month.

Re:APK's monolithic hosts file

[mcavic]

monolithic hosts file is looking pretty good at the moment

Yeah, and when my car runs out of gas I'll just push it wherever I want to go.

Re:APK's monolithic hosts file

Whose laughter? APK or the poster you replied to?

Re:But, BIND goes to, 11!

However, BIND supports Response Policy Zones! Does TinyDNS support THAT? Without this critical capability, the entire internet is open to compromise, people could accidently visit evil hostnames! All Hail Vixie!!

Re:Open sores == fail

[bws111]

I am confused - which was it designed to do: allow invalid data in the cache, or die when it found said invalid data in the cache? One or the other of those is a bug, not a design choice.

Re:A confusing summary on /., let me try to do bet

[NoNonAlphaCharsHere]

BIND8, for those who used it, was a pile of poo.

Your understated discretion just takes my breath away.

Re:A confusing summary on /., let me try to do bet

[Culture20]

I also think the characterization as a "0-day" isn't quite right. To me at least a 0-day issue is a bug that can exploited to do something,

Something like cause a denial of service?

Re:A confusing summary on /., let me try to do bet

[decula03]

That's an excellent post, Above.
thanks!

use NSD

[frn123]

use NSD. Sleep well.

www.nlnetlabs.nl/projects/nsd/

Re:Impossible!

What we do know is that no-one has any need to put recursive DNS servers on the internet unless they are running an ISP or a DNS service

But the advisory talks of an "as yet unidentified network event", which implies the cause is as yet unknown. How can you be certain that only public recursive servers are vulnerable? FTFA, I don't even have enough information to know whether this is caused by a malformed query or a malformed response packet.

So, what do you know that the summary is not sharing?

ZOMFG the internets are all crashed?

[Rogerborg]

Like "truly epic coronal mass ejections", lets save the hyperbole for when we can't use it. We'll know that there's a big problem when we can't read about it on Slashdot.

Re:A confusing summary on /., let me try to do bet

[TheCarp]

yes yes, but thats very limited. Yes, you can deny service.... but it can be started back up. The only loss is availability of the service, the integrity of the service is uncompromised. It isn't allowing someone to make you serve up their data, it isn't allowing anyone to dump data they shouldn't have, it isn't allowing them to change, erase or anything your data.

Essentially... a DDOS means you are hosed until they stop or you can upgrade... the term 0-Day tends to be used to refer to actualy security issues, where the denial of the service is the least of your worries. Patching isn't good enough because, they got a window in, and could have installed a root kit.

Re:Impossible!

[afidel]

Except anyone with a resolver running BIND is potentially affected since all the attacker needs to do is point you at the invalid domain twice, that could be as simple as a webpage with the domain included and a meta refresh longer than the TTL on the domain.

Re:A confusing summary on /., let me try to do bet

[surgen]

Thanks for the clear explanation.

If you run BIND, rather than getting your alerts via /. look into a support contract so you get them directly from the vendor.

Very true. Its funny, that this morning I had applied security patches to a debian stable box and thought "hmm, looks like BIND is getting fixed, wonder what thats about" before this even got posted to slashdot.

Re:Open sores == fail

[NoNonAlphaCharsHere]

I guess it's really a question of design philosophy. Microsoft has always been from the "never test for an error condition you don't know how to handle" school, leading to lots and lots of buffer overrun type problems or just plain application crashes. The other side is to have tests you "really don't need". Say for example you have a switch statement where you "just know" (have verified elsewhere/input comes from a trusted source, etc.) that you have a lower-case letter that you want to process, so the code ends up looking something like:

switch (c)
{
case 'a': whatever('a'); break;
case 'b': whatever('b'); break;
...
case 'z': whatever('z'); break;

default: // AND THIS IS THE IMPORTANT BIT
assert("c is not a letter!!");
}

Microsoft code would typically leave out the assert, and happily stumble along. At least with the assert, you know what AND WHERE the Bad Thing (TM) happened, and have a clue as to where to look to fix it.

Tip of the iceberg

[mseeger]

The "assertion"-problem is only tip of the iceberg.

If an assertion fails, this usually means that someone managed to make the code behave in an unintended way. Since the affect occurred simultaneously at several providers all over the world, this indicates a coordinated attack. The chances are real, someone managed to exploit a buffer overflow (or similar) in BIND.

So we have to look seriously into the possibility that people have a way to execute code with the same permissions as BIND has.

When i got the information this morning, this was an alert topic.

Yours, Martin

Re:Tip of the iceberg

[kqs]

The "assertion"-problem is only tip of the iceberg.

If an assertion fails, this usually means that someone managed to make the code behave in an unintended way.

Except that the assertion isn't the problem. The problem is that BIND allows bad data into its cache. The assertion detects this and crashes BIND before the bad data becomes an exploit.

Now, there still may be a way to execute code using this method, but the assertion has alerted everyone to this problem so I expect this particular problem to be solved quickly. And thanks to the assertion-crashes, people will be forced to upgrade rather than running a vulnerable version for the next 5 years.

I'd prefer software without bugs, but since that's impossible, I'll happily take BIND.

Re:Tip of the iceberg

[blair1q]

The assertion is a problem.

Deployed code with asserts in it is crap, and would violate any contract I've worked to since 1995.

At least this was just teh interwebs that it broke. If it had been safety-related, someone would be ducking under their desk trying to call their lawyer.

Re:Tip of the iceberg

[surgen]

The assertion is a problem.

Deployed code with asserts in it is crap, and would violate any contract I've worked to since 1995.

At least this was just teh interwebs that it broke. If it had been safety-related, someone would be ducking under their desk trying to call their lawyer.

So your code, that you make sound more important and/or safety related than DNS, doesn't have any failsafes? Really?

Re:Tip of the iceberg

So your code, that you make sound more important and/or safety related than DNS, doesn't have any failsafes? Really?

So you think assert() is a substitute for proper exception handling? Really?

Re:Tip of the iceberg

Failsafe doesn't mean die. Asserts are great for debugging, but not production. In production you should always try to recover.

Re:Tip of the iceberg

[surgen]

So you think assert() is a substitute for proper exception handling? Really?

In this case specific case, sure, why the hell not? Its DNS, and you've found that you're in an impossible state. What else are you supposed to do? Even if the process hasn't been compromised, by the nature of the assert you've failed and don't know how to recover. Do you want to keep on serving DNS, assuming the process is in a state where it is fine to keep on trucking? Or maybe enter a do-nothing failure mode, which is just as useful as going down hard, but with the added bonus that the process is experiencing unknown problems and you want to rely on it to contain itself properly.

And I didn't say it was a substitute for proper exception handling, just that you're going to let exceptions you haven't prepared for to bring the process down, rather than blindly swallowing them. Or do you think this is good code:

try:
        foo()
except Exception, e:
      pass # EVERYTHINGS FINE, GO BACK TO WORK!
bar()

Re:Tip of the iceberg

[blair1q]

My code, which sometimes is the difference between life and death, considers all possibilities to be nominal cases, and deals with each equivalence class accordingly.

People who use asserts in fielded code are either (1) lazy or (2) dumb or (3) cheating their employers.

Re:Tip of the iceberg

[blair1q]

>exceptions you haven't prepared for

there's your problem right there.

when you go through your code and you see an assert, or something that does the same thing, you're not done coding.

Re:A confusing summary on /., let me try to do bet

[jakeguffey]

I am 100% with you up until you say, "I'm amazed how many people run large, production name servers on BIND yet don't have a cheap support contract. If you run BIND, rather than getting your alerts via /. look into a support contract so you get them directly from the vendor." I have a couple issues with this. The first is simply that it's perfectly reasonable to expect a good UNIX admin to handle BIND without issue for generalist deployments. The other issue I have is that you don't need a support contract to get these alerts. Sign up for the bind-announce mailing list (link: https://lists.isc.org/mailman/listinfo/bind-announce). Again, I'm totally with you up until the end there.

Re:A confusing summary on /., let me try to do bet

I also think the characterization as a "0-day" isn't quite right. To me at least a 0-day issue is a bug that can exploited to do something,

Something like cause a denial of service?

The same can be done via a flood of packets that saturate either the machine (CPU) or the network to the machine.

A DoS is unfortunate and annoying, but a bug that leads to a ("clean") crash is in no way the same as an exploit. Heck, after an exploit it could be possible for the attacker to restart the service so the victim does not lose service (and thus is less likely to know that something occurred).

Re:A confusing summary on /., let me try to do bet

You would have to be a moron to run BIND for anything in the first place.

BIND the epitome of taking what should be a simple piece of software and turning it into an over-complicated, impossible to secure, impossible to debug, spaghetti coded piece of shit.

I mean BIND has been around for DECADES and there are still security vulnerabilities found all the time.

Open resolvers

[bjb_admin]

I am glad I took my lumps and disabled public recursive resolving many years ago on my BIND installations. Only do that for local IP ranges! This eliminates all the resolver issues. Also I found that when the DNS server was open I was getting a constant stream of unusual TXT lookups which were for oddball domains. These contained many K of data. I suspect these requests were fake source IP requests being used as some sort of bandwidth DOS attack.

Re:Open resolvers

[Short+Circuit]

More likely, the unusual TXT lookups were someone streaming IP over DNS.

Re:Open resolvers

[mcavic]

someone streaming IP over DNS

If I owned a gun...

Re:Open resolvers

It's bog slow and requires you to be running a dns server on a machine you have root on, but yes you can:

http://dnstunnel.de/

Re:Open resolvers

[bjb_admin]

That is not the issue I was having. These were remote TXT lookups to a remote domain with a large TXT record. It was always looking up the same host and same TXT payload. No recursion stopped that issue. These were very regular at one or 2 second intervals. Probably would make a good bandwidth DDNS if you had access to enough recursive BIND servers, and could send requests with forged source IPs (which today is harder to do due to better filtering at the ISP's). Thus one small DNS request is multiplied several hundred times in size, like the old Smurf PING attacks.

Re:Open resolvers

I stream IP over DNS all the time, but I never noticed any unusual TXT lookups

Re:Open resolvers

Hey, this might be the only way a free internet can exist in a couple of years.

Re:Open resolvers

>> someone streaming IP over DNS

If I owned a gun...

...you would shoot whoever set up such draconian firewalls creating the need for such workarounds?

Re:Open resolvers

[Short+Circuit]

Might have been a cached data block for a botnet payload. as a DDOS, it doesn't make any sense, because you'd have had to put that TXT record on the retrieved host in the first place.

Unbound, not NSD

[bigogre]

Unbound, also from NL Netlabs, is a recursive resolver. NSD is an authoritative server.

The problem is with Bind as a recursive resolver, not as an authoritative server.

Re:A confusing summary on /., let me try to do bet

Yeah, but only the sheer incompetence a multi-billion dollar corporation like Microsoft could produce the level of spectacular FAIL needed to let the following kind of vulnerability go unaddressed for DECADES..

http://www.kb.cert.org/vuls/id/951982
Microsoft Windows UDP packet parsing vulnerability

You have to admit being able to get root by sending malicious packets to a CLOSED port on a machine is just so awesomely FAIL, BIND's little DOS exploit pales in comparison.

Re:Impossible!

[swalve]

That's not how liability works. You are talking about some kind of warranty.

Re:Open sores == fail

[bws111]

First, this has nothing to do with Microsoft, so there is no need to drag them into it.

Second, I am not questioning the need to test for errors, or that sometimes the correct thing to do when an error is encountered is die. I am challenging your position that overall the software is doing what it was designed to do and this is not a bug. The assertion itself is fine - there are reasons why the cache may have been corrupted and you want to kill the program (hardware error, tampering with files, etc). However, in this case the check should have been done BEFORE the data was put into the cache, when the correct response would have been to simply reject the message. Failure to do that check is a bug.

Re:Impossible!

Because Microsoft is a monopolist? This reason alone is sufficient to treat them very differently than anyone else, especially a community effort.

Re:A confusing summary on /., let me try to do bet

[Above]

I'm not sure how to square large production name servers with "generalist deployments". Clearly the small admin can do without a support contract. However I've seen large ISP's, supplying service to millions of customers with no support, and I think that's insane.

If you go back to ISC's Software Support page you'll notice "Advance Security Notifications". Depending on the nature of the issue, ISC's support customers often receive notification before BIND-announce. I believe this particular issue went out in all forums pretty much at the same time due to the severity, but lesser issues may be released in a staged fashion.

Re:Open sores == fail

[bws111]

Also, note that in this case the assert did NOT tell them 'where the bad thing happened'. If it did, it would not be 'an as-yet unidentified network event'. The assert, in this case, is simply saying 'at some point in the past a bad thing happened, and I just figured that out now'.

etckeeper

[Compaqt]

By the way, another thing people who are wont to mess with their /etc should keep in mind is etckeeper. It versions your /etc, by default in bazaar, but it's also supposed to work with git, hg, etc. It has triggers set so every time you install something, it does an automatic checkin.

You can also manual commits, too, along with a message.

Good for people who want to know what the config files looked like when they were working a week ago.

Click to install (Debian and friends)

Re:etckeeper

Wow, thanks for this, I had no idea that kind of software existed! I don't dabble that much in /etc, but this looks like a nice security.

Re:etckeeper

[X0563511]

Awesome!!

I've been known to keep subdirectories of /etc as SVN repository checkouts, but that grabs the whole thing!

The only thing I'd be worried about is accidentally uploading sensitive data (hashes and such).

Re:etckeeper

[Compaqt]

Yeah, I used to use the old-school ci and co commands from rcs (anybody remember that?).

In fact, you can still use it to version specific files you care about without pulling in everything.

One thing which is an annoyance for me is the huge lines of binary represented as text in Virtualmin config files. Haven't found a solution to that.

You're right about the sensitive data. Anybody have a good solution?

Re:Open sores == fail

[swalve]

Instead of testing for known and unknown invalid data, it's the right way to test for valid data and puke on invalid data? In your code example, you wouldn't need to run that test because you already tested/trusted it somewhere else. If you know it is a lower case letter, the test isn't necessary. Data should be sanitized before it ever gets to your logic.

Re:Impossible!

[asdfghjklqwertyuiop]

No, we don't.

Re:A confusing summary on /., let me try to do bet

I also think the characterization as a "0-day" isn't quite right.

Download Bind by Specific Version shows 9 was released 2004-Jan-28 07:05:51.

0-day used to mean that the exploit was release the day of release. Verses 1-day or later cracks.

Now it's just another throwaway term for exploit. And a very silly one at that.

(To be fair, it could be a problem with the last release from November 9th, 2011. I did not regression test this.)

Re:A confusing summary on /., let me try to do bet

[jakeguffey]

Ahh. Point. I didn't realize that ISC support provided notifications in advance.

Re:A confusing summary on /., let me try to do bet

[Canazza]

that link you posted says it was patched 2 weeks ago. It makes no mention of the date the exploit was found. How do you know this was part of the software for decades?

Re:A confusing summary on /., let me try to do bet

[Kjella]

To be honest I completely hate ASSERT-style checks, particularly in multi-user systems. One single logic mistake and boom goes the whole server. With exceptions you can at least have a gradual panic. But when you so often resort to pointer-magic and any unterminated string is a recipe for chaos, well... Though it would be nice if exceptions actually worked, which they don't in C++. Try/catching into some third party code and it'll still segfault on you, completely ignoring your attempt to catch any and all exceptions. Sigh.

Re:A confusing summary on /., let me try to do bet

[UnknowingFool]

The point you are missing is "0-day" has come to mean vulnerabilities that can be exploited now for things like remote code execution, takeover, etc . In this case, the bug causes crashes but it is not clear that it makes the computer vulnerable to other security matters.

Re:Open sores == fail

[X0563511]

Hilarity ensues :P

I'm joking though... because that's just one tiny piece. The rest of the infrastructure is indeed eating it's own dogfood - either directly, or via "citrix netscaler"

I don't get it...

[mcavic]

How hard is it to write a DNS server without any vulnerabilities? I know it's complex, but still, come on. It's only the backbone of the Internet we're talking about.

Re:I don't get it...

[blair1q]

In this case, it's a simple as not using an assert, particularly as an input validator...

Seriously, are they fucking kidding with that? Do they also hardcode backdoor passwords?

Grep all your code for assert, and, if they aren't wrapped in #ifdef DEBUG or something similar, replace them with something useful.

Re:I don't get it...

[psydeshow]

How hard is it to write a DNS server without any vulnerabilities? I know it's complex, but still, come on. It's only the backbone of the Internet we're talking about.

The usual suspects: enterprise and legacy. Rather than just being a passive lookup engine, BIND has all kinds of extra interfaces and message-passing schemes that keep secondaries in sync with the master and allow automated processes to update and reload zones semi-automatically. I suspect there are also a bunch of legacy record types and zone file syntaxen that need to be supported.

It's similar to (but not as bad as) the problem with mail transport agents (MTAs aka SMTP servers). To be feature-complete and reliable they have to support a bunch of ancient protocols like UUNET and understand the quirks of legacy MTAs and work with other systems that expect an MTA to behave in a particular (if inelegant) way.

Re:I don't get it...

[bigogre]

DNS does seem simple doesn't it? Ask a question and get an answer.

Unfortunately for a recursive resolver to get an answer it must talk to multiple servers. Sometimes, a lot of times, the servers have incorrect or out of date data. So one server says it has an answer but it directs the resolver to the wrong place. Sometimes servers return bad data (it is corrupt or plain junk). Sometimes the server is a really old version of Bind and can't handle the newer features of DNS (DNSSEC, EDNS, new record types, etc.). And sometimes the server is a home made thing that seemed like a good idea at the time but doesn't really work all that well. The number of permutations of bad data and bad behavior is huge.

A recursive resolver needs to handle all of the above and keep working, and try to have good performance. Gracefully handling subtly bad data seems simple until you have to write the code to do it. Yes, the gross problems are simple to solve. The others, well they are what can keep you up at night.

Re:A confusing summary on /., let me try to do bet

[Jose]

when ever I think of BIND8, I think of my .sig:

Re:A confusing summary on /., let me try to do bet

There's a reason it's called the CIA triad... 0-day has no implications what so ever about the impact, just that a vulnerability was unknown to the vendor or researchers is being exploited in the wild.

Re:A confusing summary on /., let me try to do bet

The point you are missing is "0-day" has come to mean . . .

Actually, the best I can tell is 0-day has become so trendy it has no meaning at all. I'd prefer if people simply stopped using it. It provides me with zero information.

Re:A confusing summary on /., let me try to do bet

Well, how about this:

We learned about the issue because BIND developers elected to make BIND crash whenever something was wrong. Let's follow the logic that the crash was caused by something in some random zone, that all this resolvers looked up and choked upon. What if other nameservers are being compromised as we speak, because their designers elected to either run with bad data or not to try to detect bad data at all?

NSD

[powdered+toast+dude]

As a long-time BIND hater, I recently switched from djbdns/tinydns to NSD. I figured if it's good enough for a few root servers it was worth a look. It's very efficient and fast, uses standard zone files, fully ipv4/ipv6 dual-stack transparent, and is DNSSEC aware. Very pleased so far.

meaning of zero-day

[Onymous+Coward]

0-day used to mean that the exploit was release the day of release. Verses 1-day or later cracks.

Different from my understanding. You're thinking of 0-day warez. Here, WP explains it pretty well:

A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability.

The term derives from the age of the exploit. A "zero day" attack occurs on or before the first or "zeroth" day of developer awareness, meaning the developer has not had any opportunity to distribute a security fix to users of the software.

In short, knowledge of the vulnerability exists with attackers before developers. Developers developers developers developers.

Could someone edit that, actually? s/distribute a security fix/address the vulnerability/ If the developer is unaware, they're neither analyzing, patching, notifying users, nor advising workarounds, let alone distributing security fixes.

Re:A confusing summary on /., let me try to do bet

[sjames]

More to the point, since we have an advisory about it and there's a patch, it can no longer be considered zero day. A true zero day vulnerability is one that only the blackhats know about. Expanding that to include a vulnerability that the vendor doesn't yet understand well enough to patch makes sense. But anyone using the term for a bug that has a patch out to fix it is just being over-dramatic.

Re:A confusing summary on /., let me try to do bet

[PoopMonkey]

I've never known 0-day to mean that. 0-day has to me always meant an exploit in the wild before the author is aware of it vs. an exploit taking advantage of a bug that was fixed a month ago but people haven't applied the patch.

Security tip of the day: Do not use BIND

[gweihir]

It has an atrocious security history. Seems the rewrite did not accomplish much. Or if you have to use it, lock it into a VM, preferably qemu, so that you get at least some level of isolation.

Re:Security tip of the day: Do not use BIND

[Above]

There has not been a single remote-root exploit in BIND9 since it was offered up to the world circa 2001. It was a complete rewrite with new goals, so taking BIND 4.x or BIND 8.x as examples isn't really relevant.

ISC is also completely open about security issues, listing them all on the web site and registering them with the CVE Registry.

As I stated in another post, the goal of BIND9 was use use various constructs (like assertions) to check data integrity, where possible on the fly and where not practical in a way that causes a core dump. That to fail safe was the best option, and crashing in a way the bug could be fixed was a positive. If you view the advisories against BIND9 you'll see that strategy has worked very well. Of course there's no reason not to lock any application in a VM, jail, chroot or whatever to get additional security, but I think the track record of BIND9 compared to most other major open source software is decent.

BIND is also "full featured". Many of the folks here reference alternatives like NSD, tinyDNS, or Unbound which provide limited functionality compared to BIND. Obviously if you're willing to limit the functionality you limit the bug exposure, but that's true both if you use software that doesn't include the functionality but also if you disable that functionality in BIND. For instance the bug in question affects recursive resolvers only, if your BIND9 instance is an authority only configuration there is no exposure.

I'm afraid most of BIND's bad reputation comes from BIND 4.x and BIND 8.x, both of which were quite bad (for different reasons). BIND9 was a departure, and now ISC is working on BIND 10, which should be yet another large leap forward.

Re:Security tip of the day: Do not use BIND

[gweihir]

Well, as the current problems show, BIND9 still does not get it quite right. I agree that it is better. If BIND10 can make the same step as was made from 4/8 to 9, then BIND10 will finally be a good piece of mission-critical server software. And, yes, that is what is it and has to be. So comparing it to "most other open source projects" is bogus. Not even apache is that critical. Maybe OpenSSH, but it has a truly amazing security record, which certainly is no accident. BIND still has to get there.

I am not saying it will not, but at this time the ego of the BIND team is still too large and its accomplishments do not quite match what is (and needs to be) expected. Until both states change some more, "do not use BIND unless you have to" (which would be the long title of my posting) remains sound advice.

This is not criticism of the people doing this. Having a large ego that is not quite matched by actual skill is quite normal until you have a lot of experience. CS graduates suffer the worst from it in my experience. Unfortunately, this is perhaps the worst threat to software security that is there. To create secure software, you have to _underestimate_ your abilities by a significant margin and be very, very careful. The famous quote by Brian W. Kernighan applies with an amplification effect to architecture, design and implementation of secure software:

"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it."

If you substitute "security analysis" for "debugging" and "several times as hard" for "twice as hard", then this is a core insight needed for creation of secure software. Unfortunately most code writes cannot manage the required humility. The BIND team seems to be able to learn, but is not quite there yet. And as this is a learning experience, everybody that makes the journey already is on the side of those that either get or or will get it in the future.

So do not defend BIND9, do better. You likely can.

Re:Security tip of the day: Do not use BIND

[Above]

I'm confused why BIND would be more critical than Apache (to use your example).

DNS is, from the start, a robust, distributed system. If you have 4-6 name servers for your domain (as you should) and one is down for any reason (network unreachable, server dead, BIND crashed, whatever) users _should not notice_. Caching resolvers will automatically query other name servers, life will move on. Compare with widely used software such as Apache, Sendmail, Firefox, when those fail typically a user notices.

Indeed, I would recommend anyone with _mission critical_ DNS needs operate multiple name servers _and use multiple software packages_. For instance the root servers are mix of BIND and NSD. Every software can have a bug, having ecosystem diversity is a good hedge, particularly when the protocol is already designed to deal with multiple servers.

I admit BIND9 could do a lot better. It was conceived in the late 1990's, and written in the early 2000's. Computer Science evolves quickly, and there have been a lot of advancements since that time and BIND9 has not kept up. But that is why there is a BIND10 project now. If you have input I strongly suggest you contribute to it as it's a much more open development model than BIND9.

The only bright line I want to draw is behind BIND 4/8 and BIND 9/10. It's actually sad they all have the same name. BIND 4 and 8 are junk, and gave BIND a very bad reputation that continues to this day. They are a major reason some of the competitive products exist. BIND9 was a clean start to change the gap, and hopefully BIND10 will be a quantum leap forward. Painting them all with the same brush is wrong.

TreeWalk

[macraig]

I use TreeWalk. Since it's an implementation of BIND, do I need to apply this patch to it, and if so how?

qmail backscatter

[Onymous+Coward]

Did a little looking into it and, though I'm generally a fan of DJB's wares, unpatched qmail does indeed have the problem of accepting all mail for configured domains, regardless of localpart (box) validity. Which means DSNs will be sent for bad addresses, and since SMTP provides no way of validating senders, backscatter occurs. This is the term for it, by the way.

I've seen plenty of spam using the mechanism. It's a real problem.

Patches are available. But, yeah, DJB's licensing made even patching problematic for the longest time. Thankfully, he's conceded on that point. Which suggests to me he's not dogmatic or unreasonable, just rigidly principled.

I run Postfix, too. Love it. The licensing limbo was part of my decision to go with Postfix, though there were a number of factors. But I still run DJB's tinydns and dnscache.

Re:A confusing summary on /., let me try to do bet

Because patches were issued for all supported Windows versions, which implies the ones out of support most likely would have needed the same patches.

Re:A confusing summary on /., let me try to do bet

It is/was a 0 day exploit. ISC did not know what the hell happened while we were troubleshooting the issue and only knew because they received core dumps created from the crash.

Also tuesday night the only companies impacted were those in the USA. Cox, Rackspace, and others were having issues.

The interesting thing is that the day before the FBI announced busting a DNS jacking ring, then this happens.

Re:A confusing summary on /., let me try to do bet

Windows is not a single piece of software providing a single service though. I can understand something as complex as an entire OS having security bugs no matter how long it has been around. BIND has no such excuse, it's a simple service with a brain-dead implementation.

Re:Open sores == fail

[blair1q]

Repeat after me:

"There are no impossible conditions in input."
"There are no impossible conditions in input."
"There are no impossible conditions in input."
"There are no impossible conditions in input."
  . . .

Re:Open sores == fail

[blair1q]

So you're releasing your debug version of the code as a product? Nice.

Re:A confusing summary on /., let me try to do bet

So basically, a cron job running once a minute to check for a running bind instance and restart it if not would correct the issue. Oh, and here's a script to make it work if it's not perfect, it's pretty close....

if [ `ps -ef | grep -i named | grep -cv grep` -neq 1 ]
  then
    echo " Bind died, restarting " >> /var/log/named_monitor.log /usr/sbin/named
  exit 1
  fi
exit 0

Ok, "making a 'guest appearance'" now... lol! apk

I don't *think* you guys understand HOW I utilizing a HOSTS file, because of what you said about it being "monolithic" - I don't use it as a "DNS substitute" for all addresses possible online (because I would even find THAT HILARIOUS to try to do from a HOSTS file)!

FOR SECURITY:

I just do NOT setup local ones @ home (no point to burn the extra CPU cycles, & thus, electric power, or RAM + other forms of I/O used in them).

I do so for security, and just because of things like:

1.) This issue (it has a patch by the way) & vs. this, & the other numerous troubles in BIND over time, which are numerous (another 'case-in-point'/e.g. is "the Kaminsky Flaw" & other redirect/dns-poisoning attacks that have happened over time the past few yrs. now).

2.) I currently BLOCK OUT 1,624,230++ KNOWN BAD SITES/SERVERS/HOSTS-DOMAINS in it that are KNOWN to serve up malicious exploits of various types in it, mostly... this is for security purposes, & specifically what's called "Layered-Security"/"Defense-in-Depth" security.

FOR EXTRA SPEED:

A.) I "hardcode in" about 250 of my FAVORITE sites into it (where I spend 99% of my time online), but, I don't attempt to "resolve the entire internet" via HOSTS either (which is what it sounds like you're thinking)... Doing this results in FASTER ONLINE WEBSURFING PERFORMANCE & is faster resolutions of hosts-domain names to IP Addresses, by far, than calling out to a remote DNS server, by orders of magnitude, & runs LESS RISK of being infested via redirected/DNS-poisoned ones too as noted above.

B.) For blocking out adbanners, which have housed malicious script code in them MANY times in the recent past & before that even (last 8 yrs. or so I have records of this in multiple occurences for example), & for the fact that adbanners take away bandwidth & speed YOU THE USER PAY FOR OUT OF POCKET!

In fact, for websurfing? By feel alone, I can basically get as fast as any FIOS connection because of this, & getting ALL of the possible bandwidth I paid for...

By the by: I do utilize DNS servers (albeit, 'external' ones/non-local to my computer here):

Norton DNS:

https://dns.norton.com/dnsweb/homePage.do

Open DNS:

https://store.opendns.com/get/basic

ScrubIT DNS:

http://www.scrubit.com/

In a "truimvirate formation" (w/ in my Windows IP DNS settings + Hardware Router firewall)

Why?

Simply because they FILTER OUT known malicious sites threats too (phishing, spamming, & other malicious things like scripts for attack or that serve malware etc.).

* Anyhow/anyways: HOSTS work, & for extra speed & security online!

(It just works... especially mine since it's been built since 1997 for the above, & gets stronger every 15 minutes - plus it uses 0.0.0.0 for faster parsing, & I cut the local DNS cache in Windows (slows down on larger HOSTS files) & cache it like any file is cached, via the local kernelmode diskcache subsystem for reads/subsequent re-reads...!)

APK

P.S.=> I have it FULLY automated too, every 15 minutes it's being fed with data to block out adbanners + known malicious servers noted above from a pristine TEMP/SCRATCH copy from 17++ reputable & reliable sources for that in fact!

I don't lift a finger to do it - pure "automagic" operations & has been since oh, roughly/approximately 2002 or thereabouts!

(E.G./I.E.-> From 1997-2002 I built it using MS-Access for removal of duplicates, then Delphi app 2002-2010 which was FINE for the smaller lists of that data the way I built it's deduplication/normalization algorithms).

Now, it's built in a system that my nephew & I co-wrote in Python (I stuck by it because it's set deduplication/normal

Re:A confusing summary on /., let me try to do bet

[operagost]

No it doesn't. It could have easily first appeared in the oldest of the supported OSes, or via a new feature (like IE) that is only supported on the listed OSes.

Re:A confusing summary on /., let me try to do bet

[operagost]

Oh, and the list doesn't include XP, which is supported as long as you are on the last service pack, or Windows Server 2003. So the vulnerability first appeared in some service level of Vista.

Re:Ok, "making a 'guest appearance'" now... lol! a

"guest appearance?" Who the fuck are you?

And why do you bother posting anonymous coward when you sign your name AND append it to the subject line? You are so gee-whiz smart you can block a million domains via a hosts file or whatever, yet you can't sign up for a slashdot account?

Real question is, WHO R U?

ANSWER = An "AC" off-topic illogical adhominem attack using troll, telling me to use a "registered 'luser'" account here?

You post as ac, & yet U rib on me for doing it too??

Please... lol!

* Besides, & above all else here? Your off-topic illogical adhominem attack is the typical effete "last resort" of the blown away troll!

Especially vs. the facts in my initial post you responded to here http://it.slashdot.org/comments.pl?sid=2531162&cid=38090616 which whose enumerated facts listed you are WELCOME TO DISPROVE, & my noting that's good enough of a reply to you from myself & all you'll get in response from myself - that challenge in bold above...).

APK

P.S.=> Troll away if you wish, it's useless & WEAK... That is, unless you feel like disproving the known facts I enumerated in my initial post (in the link above) that you replied to, & good luck: YOU'LL NEED IT!

(Simply because it's IMPOSSIBLE to refute is why, & many trolls who post ac & don't even "sign off" on them as I do have tried, & each has failed, miserably, every time).

Man - Your "kind" online? LMAO - In a way, I have to THANK YOU... Why?

Because you truly DO make me laugh (& yet you also make me look good, especially on HOSTS files posts I do).

Ah, in the end here? Well... you KNOW I just GOTTA say it, as-is-per-my-usual "style" vs. off topic easily defeated illogical adhominem attack utilizing trolls such as yourself:

This was just "too, Too, TOO EASY - just '2EZ'"

Re:Real question is, WHO R U?

Stupider part's 2 new 7 digit obviously fake 2 accounts 4 trolling in itchythebear\mcavic trying to attack you in the off topic manner you said as if they have supporters. The moron behind it must think this is facebook where noobie trolls try this transparent ploy and he's too stupid to realize how easily seen through that lame trick is each time it's done.

Tell U what... apk

Disprove the data I put up on HOSTS files here:

http://it.slashdot.org/comments.pl?sid=2531162&cid=38090616

And, in every point made by myself there on HOSTS files' value as a "layered-security"/"defense-in-depth" tool that can also yields FAR BETTER SPEED ONLINE as well?

* You only make ME look good - just because you're yet another EASILY FLOORED TROLL that you are demonstrating yourself to be!

APK

P.S.=> Ah, man... This? THIS WAS JUST "too, Too, TOO EASY - just '2EZ'", as it always is vs. trolls like youself that utilizing off topic illogical adhominem attacks when they're confronted with facts... apk

Re:Tell U what... apk

Hi Peter, it's Mummy.

You're late for lunch Peter, so get out from the basement and come eat with me

See you soon Peter and keep up that Awesomenes of yours, Peter ...

Face this challenge then... apk

Disprove the data I put up on HOSTS files here:

http://it.slashdot.org/comments.pl?sid=2531162&cid=38090616

And, in every point made by myself there on HOSTS files' value as a "layered-security"/"defense-in-depth" tool that can also yields FAR BETTER SPEED ONLINE as well?

* You only make ME look good - just because you're yet another EASILY FLOORED TROLL that you are demonstrating yourself to be!

APK

P.S.=> Ah, man... This? THIS WAS JUST "too, Too, TOO EASY - just '2EZ'", as it always is vs. trolls like youself that utilizing off topic illogical adhominem attacks when they're confronted with facts... apk

Debian package was updated before this post hit /.

n/t

Unbound

Good thing I chose Unbound when I set up my server... It's non-authoritative, but it works for what I need it for.

Re:A confusing summary on /., let me try to do bet

[xenobyte]

Its funny, that this morning I had applied security patches to a debian stable box and thought "hmm, looks like BIND is getting fixed, wonder what thats about" before this even got posted to slashdot.

Same here. Debian rules! :)

Re:Ok, "making a 'guest appearance'" now... lol! a

I've heard people complain that a website named slashdot.org serves malicious software, could you add it to your list please ?

Re:A confusing summary on /., let me try to do bet

[Morty]

Submitter here. Comments:

0-day refers to the time when the bug is first exploited relative to when it is patched by the vendor. It has nothing to do with whether or not the exploit yield unauthorized access. It is entirely possible to have a 0-day DoS attack.

There was no evidence on whether or not the bug was triggered deliberately. Hence why the summary referred to it as a "potential" 0-day, and said the problem "is believed to be" a 0-day vulnerability.

At the time crashes were initially occuring, no patch existed. That made it a 0-day, assuming

SANS is a well-known security organization. Hopefully folks who care about this sort of thing are aware that isc.sans.edu is not the same entity as isc.org.

This is a "news for nerds" site. Plenty of folks aren't running BIND 9 directly from isc.org at their workplaces. Perhaps they are using distribution-bundled BIND, or they're running BIND 9 at home, or they're not running BIND 9 at all and are just curious about major vulnerabilities. I know I like to read about flaws in major Internet software even for packages I'm not running.

Slashdot's in my HOSTS file (sped up)

See subject-line above: /.'s in my HOSTS, except access to it's sped up via hardcodes (for extra speed of access to it!) - inclusive of its "main domain/site" & all "sub-domains/sites" as well... (using the terms 'loosely', hence the quotes).

* There you go... always 1 step ahead here!

APK

P.S.=> Once again, I don't think you understand how HOSTS files work, & you may need to refer to this & read it -> http://it.slashdot.org/comments.pl?sid=2531162&cid=38090616

... apk

Re:Slashdot's in my HOSTS file (sped up)

I think you misunderstood my sarcasm so I'll rephrase it plain and simple:
could you make it a 0.0.0.0 redirection, please ?

Didn't U read this before? Sure U have

http://it.slashdot.org/comments.pl?sid=2523490&cid=38047978

* So much for your b.s., & your "credible" (lol, not) so-called "sources"...

(Your off-topic illogical adhominem attack attempts ALWAYS fail, just as you always do ac psycho-stalker troll, vs. myself)...

APK

P.S.=> You KNOW I've just GOTTA say it, as-per-my-usual style vs. yourself (the ac psycho-talker troll I have here on this site) -> This? This was just "too, Too, TOO EASY - just '2EZ'"

...apk

Re:Didn't U read this before? Sure U have

Oh Peter, I'm so sorry I made you ran away like a kid last time: http://it.slashdot.org/comments.pl?sid=2523490&cid=38049512

I hope that you're not mad at me Peter, I thought we could still be friends and rule the interwebz (lol) someday

Keep up that Awesomeness of yours Peter !

P.S.=> (hehe see how I'm using your old PS trick, Peter ?) this guy has it right : http://it.slashdot.org/comments.pl?sid=2531162&cid=38097154

OpenBSD 5.0 + BIND

OpenBSD 5.0 with BIND, does it affected too?

Take ur own advice

See subject-line above...

APK

Seeing you run? Priceless... apk

Ur evading disproving my points on HOSTS here http://it.slashdot.org/comments.pl?sid=2531162&cid=38091706 is only proving my point also - thanks!

* You only continue to make me look good...

APK

P.S.=> I don't know where this "mummy" crap comes from out of yourself either, but I own my home and don't live in a basement (quit projecting)...

... apk

Re:Seeing you run? Priceless... apk

You're really not good with sarcasm, are you ?

"Rinse, Lather, & Repeat" lol... apk

Seeing you run from this is priceless http://it.slashdot.org/comments.pl?sid=2531162&cid=38097258

* You were asked there to disprove my points on HOSTS files on how they gain you better online speed, and also "defense-in-depth"/"layered-security" benefits as well vs. online threats too - funny how you RUN from disproving them!

(Especially since you saw fit to try to "cut me down" & the topic here's on HOSTS file which Culture20 brought up)

I also list better DNS servers for security there also, that filter vs. online threats (also how to use them in layered security fashion as well)...

Top that off with using firewalls for purposes of security too (vs. IP address based threats, if not hosts-domain based ones too for layered security)? Well... your running away's "proof in the pudding" & proves my points, in that all you have is off topic bs as per your online psycho stalker illogical adhominem attacks as usual - U FAIL.

APK

P.S.=> Off-Topic illogical adhominem attacks from ac "psycho-stalker" trolls like yourself always make me laugh...

... apk

Re:"Rinse, Lather, & Repeat" lol... apk

Oh Peter I'm so sorry to hear that your upset because of me

Others (tom, jeremy, sarah, and so many others) have proved you wrong soooo many times all across slashdot and the Internet, but you don't listen to them at all, you just read one word out of two in their sentences and then you imagine some fantasy about what they said without trying to understand what they actually said Peter.

Eventually people got tired of your SCREAMING and bolding and lol-ing and what-not and they just stopped trying to explain over and over again Peter.

We are waaaay cross that bridge now Peter and are just making fun of a 46-(47?)-years-old-basement-troll-writing-like-a-child which, agreed, is becoming more and more of a Legend on the Internet (not for the good reasons though). You should check Wikipedia regularly (or maybe uncyclopedia would be more appropriate ?), they'll be soon an entry about you, I promise.

And as usual, keep up that Awesomeness of yours, Peter

Running away from a challenge? LMAO!

http://it.slashdot.org/comments.pl?sid=2531162&cid=38097258

APK

P.S.=> I'm far from upset - I am actually laughing, because seeing you run from the challenge in the link above is utterly hilarious, & even MORESO watching you stay off topic with your illogical adhominem attack attempts on myself (seek professional help of somekind please, you need it imo)...

... apk

Face the music here (disprove my points on HOSTS)

http://it.slashdot.org/comments.pl?sid=2531162&cid=38091706

APK

P.S.=>

"You're really not good with sarcasm, are you ?" - by Anonymous Coward on Friday November 18, @10:08AM

You're not really good with facing up to facts on the topic @ hand Culture20 the initial poster on HOSTS files brought up, & YOU being challenged to disprove my points regarding HOSTS files benefits for added security & speed for folks, are you?

Still - Thanks for proving my point that you're some sort of obviously "mentally troubled" individual that has nothing left but off-topic illogical adhominem attacks to attempt to direct my way (& my easily disproving them)... it's hilarious watching you run from that challenge above also!

I mean, please - the way you post as a TRULY "anonymous coward", with no indicator of who you really are, and your stalking me here on slashdot like somekind of online "psycho-stalker"? Man...

Seriously - You have issues!

So - once more, seek some sort of professional help (imo, you truly require it)...

... apk

why?

[Chirs]

People who use asserts in fielded code are either (1) lazy or (2) dumb or (3) cheating their employers.

Assuming performance isn't a problem, why wouldn't you leave them in on the off chance that you made a mistake in a corner case somewhere?

Re:why?

Usually when I write code, I leave the asserts in, but through various magic (the NDEBUG preprocessor macro, for instance), they become noops in the shipped code.

Re:why?

[blair1q]

The fact that they're even there means you know there's a vulnerability, and you know you don't have a viable way to deal with it, and that your users will, eventually, run into it, probably in a situation where it causes them way more grief than the rest of your code is worth.

Just using NDEBUG to turn them off is passing the buck to the rest of the code to crash cryptically instead of crashing identifiably, so it's even worse.

Re:Face the music here (disprove my points on HOST

You're not really good with facing up to facts on the topic @ hand Culture20 the initial poster on HOSTS files brought up

Seriously ? Using an obviously sarcastic post that is modded '+5 Funny' as evidence of you being relevant ? You're too sarcastic dude, even for me ...

the way you post as a TRULY "anonymous coward", with no indicator of who you really are

Which part of "anonymous" and "coward" didn't you understand exactly ?

...

Oh wait ... were you being sarcastic again ? hehehe you got me on this one dude

Glad it's working 4U (you'll like this I think)

Based on your success using a HOSTS file for added speed - you can also get more "layered-security"/"defense-in-depth" added as well, & here are some of the sites I use online to populate my HOSTS file vs. various online threats (all current, updated regularly, & reputable):

http://hosts-file.net/?s=Download
http://winhelp2002.mvps.org/hosts.htm
http://someonewhocares.org/hosts/
http://www.malwaredomainlist.com/hostslist/hosts.txt
https://spyeyetracker.abuse.ch/monitor.php
https://zeustracker.abuse.ch/monitor.php?filter=all
http://amada.abuse.ch/palevotracker.php
http://www.malware.com.br/cgi/submit?action=list_hosts_win_0000
http://www.safer-networking.org/en/download/
http://www.malwareurl.com/
http://mirror1.malwaredomains.com/files/
http://hostsfile.org/hosts.html
http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples

* There you go - that'll "get you started" on the road to not only FASTER websurfing, but also SAFER websurfing as well...

APK

P.S.=> Now, as far as "integrating" them into your HOSTS file?

Those sites offer various tools for that (I have built my own over time & you can even use tools like MS-Access for the hard part, deduplication for unique entry data via SELECT DISTINCT queries if need be, but I think the best tool offered on 1 of those sites is a PERL deduplication script (you have to have PERL installed though) as far as the tools offered by others from those sources.

Thus, You may wish to look into the FREE tools offered on those sites, if not compare them as well, & just for the purposes of import, deduplication/normalization, + more as well!

So - enjoy & continued good luck to you (as well as "salutations" for trying a custom HOSTS file & experiencing what you have, thusfar)...

... apk

More evasions? Keep running & proving my point

http://it.slashdot.org/comments.pl?sid=2531162&cid=38091706

* This? As-per-my-usual, vs. yourself (the off-topic illogical adhominem attack utilizing ac troll that stalks me all over /., which you have proven already in the links you post which I disprove easily in their bs)?

Well, you KNOW I have to say it... lol: This was just "too, Too, TOO EASY - just '2EZ'"...

APK

P.S.=> See subject-line above, & that link I just posted - then again, you have, & are unable to disprove my points on HOSTS files (as you always are shown to run from, everytime)... like I always say, your doing so only makes me look good here & proves my points for me!

...apk

Re:More evasions? Keep running & proving my po

P.S.=> See subject-line above, & that link I just posted - then again, you have, & are unable to disprove my points on HOSTS files (as you always are shown to run from, everytime)...

Peter, you hurt my Anonymous Coward feelings here, how many times do I have to tell you: many have disproven most of your points and you just ignored them and kept yelling at them (followed by your usual homophobic-driven insults, of course). Now we don't care anymore do disprove them again and again and again as we did so often in the past. We just want you to add

0.0.0.0 slashdot.org

in your host file.

Really that's all there is to it.

As for running away, I'd like you to answer these my dear:

http://it.slashdot.org/comments.pl?sid=2531162&cid=38099124

http://it.slashdot.org/comments.pl?sid=2531162&cid=38098256

which you just seem to run away from ...

Disprove the points on HOSTS I posted then

http://it.slashdot.org/comments.pl?sid=2531162&cid=38091706

* We would like to see you do that, because for once, it'd at least see you making an honest attempt to be on topic here for once, troll... Especially after your utter line of evasive b.s. here requoted:

"many have disproven most of your points" - by Anonymous Coward on Friday November 18, @11:55AM (#38099858)

OH, really? Then let's see YOU do so... ok?? You'll just post more b.s. & I am going to stop posting because I've made my point here & your evasions help me do it (that you're an off topic troll who is soundly beaten by his own stupidity).

APK

P.S.=> Of course, we'll never see you even try - it can't be done is why, lol... apk

Re:Disprove the points on HOSTS I posted then

I am going to stop posting

Yipee ! Let this be forever

Re:Disprove the points on HOSTS I posted then

You forever evade this challenge http://it.slashdot.org/comments.pl?sid=2531162&cid=38091706 and your partial quotes of others aren't very effective either. Seek mental help troll. You need it. I am certain you've been told that before.

Re:Disprove the points on HOSTS I posted then

Seek mental help troll. You need it. I am certain you've been told that before.

And so have you been said many times, and your answer was always of the like:

Do YOU have a PHD in Psychiatry?

to "disprove" the claim from others.

Do we really need to remind you that much ?

Mohandas Karamchand Gandhi

"1st they ignore u, then they laugh at u, then they fight , then u win" -> http://it.slashdot.org/comments.pl?sid=2531162&cid=38091706

Re:Mohandas Karamchand Gandhi

I am going to stop posting

Liar !

Re:Mohandas Karamchand Gandhi

Mohandas Karamchand Gandhi's no liar. You've tried mocking apk to no avail. You've tried debating/fighting apk to no avail. You evade disproving apk's points on hosts files here http://it.slashdot.org/comments.pl?sid=2531162&cid=38091706 because it's impossible to disprove truths apk stated, and you failed. Apk wins as Gandhi' said. Partial quotes of what Apk said from you don't fool anybody but yourself. Get yourself a shrink. You need one.

Keep evading disproving what was asked of you

To disprove apk's points on HOSTS files here http://it.slashdot.org/comments.pl?sid=2531162&cid=38091706 since that's all the proof anyone here requires that you are not only an off topic troll but also a technically weak one on your part.

Paul Vixie == evil

Paul Vixie is famous for his crappy software, as well as his attempts to manipulate the news and sling mud at his opponents when BIND bugs are revealed (which happens quite often). Read DJB's (Daniel J. Bernstein) articles, and look at the djbdns suite. I would never install BIND anywhere. It's not only buggy, it's a stupid, poorly designed piece of software that a normal person (but not sociopaths like Paul Vixie) would be ashamed of.

*Another* BIND bug? Why do people still use this crap?