Slashdot Mirror
Critical BIND Denial-of-Service Flaw Could Take Down DNS Servers
alphadogg writes: Attackers could exploit a new vulnerability in BIND, the most popular Domain Name System (DNS) server software, to disrupt the Internet for many users. The vulnerability affects all versions of BIND 9, from BIND 9.1.0 to BIND 9.10.2-P2, and can be exploited to crash DNS servers that are powered by the software. The vulnerability announced and patched by the Internet Systems Consortium is critical because it can be used to crash both authoritative and recursive DNS servers with a single packet.
I noticed this on Google News yesterday - checked a CentOS 7 box to find that yum had installed the patch overnight on 7/28 and systemd had restarted named for me. Good work, everybody. Make sure your updates are working.
Oh, hai dollar-short Slashdot.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Patched updates rolled out long before /. reported it (shock, horror).
If Debian is any guide most distros have already done the same and anyone running unattended-updates for security patches has been updated for several days (25th).
must die!
Moo moo app app moo moo app. App app moo? MOOOOO app app moo moo app.
Microsoft trying to distract from the disaster that is their failed new product release?
Or... we fix the hardware with LISP machines. We had them in the 1980's and a bright future was a head. We forsake that future. Instead of Iron and Hope we now have too look forward to is the rust engulfing a crumbling empire built on the toys we chose instead during the 1980's.
LISP? Seriously? It isn't statically typed. It uses garbage collection, which isn't deterministic. It doesn't have an advanced borrow checker like Rust has. LISP is a toy compared to Rust. There's a reason LISP died in the 80s: it's an academic wank-fest, not a real programming language!
The US Gov knew and published this on the 28th. Way to be 3 days late, an no doubt why /. is more than a dollar short.
https://www.us-cert.gov/ncas/current-activity
Fine. You go write a DNS server and see how horribly bug your shit is. (hint: DNS is a *complicated* protocol)
if you want to see a shitty DNS server implementation you should look at Microsoft's one. there's a reason BIND is everywhere.
Does RUST support HOSTS files?
Now imagine if Windows had done the same thing. Slashdot would be in an uproar.
First I need to imagine it's that Tuesday of the month. [shuts eyes] Nope, doesn't work (maybe it's the same with wishful "thunking"?).
No it isn't... it's one of the oldest and simplest protocols around you freetard. And the fact that BIND still has exploitable bugs on a protocol that is decades old shows how terrible freetard are at programming.
*cough* That coward was being ironic. Whether it was intentional or not is beside the point. It was nice satire too.
You'd think the version number might be a clue. Oh wait... this is /. The entrance requirement is an internet connection and a keyboard.
Instituting one of those simple math question robot checks would double the signal:noise ratio - and reduce the advertising revenue by 70% (I'm allowing for the adblock users).
I want to block you guys with a hosts file entry. Hosts file entries are for APK. AAAAAAAAPPPPPPPPKKKKKKKK!
Is it Japanese? If it's not it must be shit. ...
AniMoJo
Bind is how old now? So does this put it back in the critical flaw lead, or is that position still held by Sendmail?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
You guys are fucking hilarious.
Actually, it's not that simple. The DNS compression scheme is horrendous, although that can be easily isolated. Most of the complexity of DNS servers come from the 1) caching, recursive logic for client-side servers, 2) automating zone transfers, 2) various schemes for avoiding DoS attacks. Dedicated servers like NSD and unbound, which either server a zone _or_ implement recursive lookups for clients, can be a little simpler. In retrospect splitting those functions was the better way to go, leaving some of the complexity with the sysadmins. BIND tries to do everything, _plus_ has more features than either of those two combined.
If look at a similarly complex server, PowerDNS, then BIND's track record doesn't look so bad. DNS _is_ complicated if you include the dozens of various RFCs. But if you don't try to do it all in the same daemon, and if punt on some of the more esoteric features, you can dramatically improve your security.
Part of why BIND is so complex is because many standards were first implemented and hashed-out using BIND. When it comes to security, there's a significant second- and third-mover advantage.
Full disclosure: I'm the author of an asynchronous DNS client implementation that _also_ optionally does recursive lookups: https://github.com/wahern/dns. It's not just a stub resolver, and doesn't require a local caching resolver. Among other things this make makes it incredibly useful for debugging DNS issues, because you can see the response packets starting from the TLDs. It's amazing the crazy stuff that's sent out on the wire, which is usually hidden behind the caching resolver.
I've never understood why DNS servers bother with zone transfers. These days, it would take an average admin three minutes to toss together something involving a cron job, rsync, and ssh that would do the same job without adding all that extra code and the extra attack surface that comes along with it. Heck, with access to platform-specific file system event APIs, you could probably come up with something that worked a lot better, up to and including near-instantaneous updates. That entire feature just seems like pure bloat, and that's coming from somebody who actually uses zone transfers....
Check out my sci-fi/humor trilogy at PatriotsBooks.
seems like we're starting to get a beowulf cluster of these wannabe trolls
Now imagine if Windows had done the same thing. Slashdot would be in an uproar.
Bullshit, stop trolling. When Microsoft releases a patch which doesn't break anything, nobody complains. It's when they release "patches" which alter the behavior of the operating system in undesirable ways that we get our knickers twisted.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I've never understood why DNS servers bother with zone transfers.
Yes, and many people disable them, and some DNS servers don't even have the functionality.
Heck, with access to platform-specific file system event APIs, you could probably come up with something that worked a lot better, up to and including near-instantaneous updates.
Well, obviously if you have a system of any complexity, you should be stuffing the records into a database and then generating the zone files from that. You can handle your replication at that level. Give your serial numbers meaning (As a timestamp, typically) to avoid issues there.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
A heads up for those running CentOS 6.6. This issue is not patched by default (because CentOS is in the midst of the transition from 6.6 to 6.7). Sysadmins using bog-standard CentOS 6.6 bind will need to enable the continuous release (CR) repository and update bind using that.
See the CentOS 6 Security Support forum post CVE-2015-5477 patch for centos 6
Wondering if this issue is serious enough to warrant the CentOS folk putting some patched bind rpms in the CentOS 6.6 updates repo? My guess is that a lot of people might miss the patch otherwise.
Don't you just long for the days when sendmail and bind would be always in the news because of some flaw or other? Heck, didn't we all run alternatives because sendmail and bind were so buggy...
How long has it been since we last had a Bind security issue...
"I've never understood why DNS servers bother with zone transfers. These days, it would take an average admin three minutes to toss together something involving a cron job, rsync, and ssh"
So if you are an ISP providing a secondary DNS service, you're happy to create accounts with ssh/rsync access for 10 000 customers who all have more lax security than you do?
Talk about attack surface ... (even with forced command etc.).
That said, assuning the complexity isn't in serving thr afxr requests, I see no reason why the function to retrieve the zone needs to be inside the daemon listening on port 53. Of course it would need to trigger transfers based on notifies, but that could be done quite easily (a simple file or a named socket).
I wrote a DNS server from scratch and it crashed bind.
Not sure if it's still true but I remember that most dos attacks on bind were the result of the same programming error.
That's why I'm writing my own. Nope, I'm not kidding. It's called fDns and will probably be the fastest authority DNS server there is.
please use swift, rust, sappeur, java or c# for that project. memory safety and strong typing sterilizes many bugs. security wise.
yeah, when you run out of arguments, start insulting.
I'm using C with LMDB. Think of it as Tinydns on steroids. With Lua.
Right, it's because Centos 6.7 hasn't been released yet and Red Hat has't made upgrade for RHEL 6.6.
Thus if you had RHEL 6.6 and hadn't yet upgraded 6.7 you would have same situation.
But, fortunately there is a solution available, which you may choose to take. Upgrade to continuous release version and get upgrades from there before official point release is available.
What you need to do is simply
# yum install centos-release-cr
Make sure you have enough free space available for several hundred packaces (/var/cache/yum/) and doing 6.6 to CR-upgrade which is quite close to 6.7, then
# yum clean all
# yum upgrade
Then it's probably a good idea to boot after that, too get new kernel etc. stuff
Cheers,
ac
This kind of information is usually avalable from the mailing list & archives of the list for the release you use, as the case here too. There you have answer , check the thread and read CR wiki page pointed from that answer, please.
I wrote mine with hookers and blackjack.
Sure. You give them all a shell account with access to their own zone files, and you require them to provide a public key for authentication (no passwords to attack). Then, you have a separate process that watches for changes and updates the official zone files that the daemon reads. Clearly, a daemon that has write access to all of the zone files is inherently less safe than a series of ssh accounts, each with access to only a single user's files, coupled with a daemon that has only read-only access to copies of the original zone files.
Check out my sci-fi/humor trilogy at PatriotsBooks.
:LISP can build, index, update and use GIANT HOSTS FILES
You lose! Grovel like a worm before the Queen of Programming Languages(TM)!!
Sure. You give them all a shell account with access to their own zone files, and you require them to provide a public key for authentication (no passwords to attack).
You seem to be forgetting the fact that the DNS zone transfer mechanism long predates the use of public keys for authentication. It's older than Kerberos, even. You don't change such an entrenched system without a pressing need, and AXFR works adequately for a lot of scenarios even today.
See subject: I combine hosts w/ OpenDNS complimenting DNS - I don't attempt to resolve 'every host-domain there is online' via hosts, only my favorites @ the top of the file (20 of them, which beats hashtable indexing or b-tree binary seeks past 2++ million records no less).
I use specialized REMOTE (not locally here as a separate redundant wasteful recursive server or even as a service/daemon) FILTERING DNS SERVERS that help block out malicious sites/servers/hosts-domains via DNSBLs:
---
OpenDNS:
208.67.222.222
208.67.220.220
---
APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...
FREE & adds speed, security, + reliability, doing more with less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining its data vs. online threats & adbanner blocking from 10 reputable sites in the security community!
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
&
It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
---
"The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"...
APK
P.S.=> "Accept NO substitutes" for protection vs. threats of this nature & for more speed, security, reliability & even anonymity online + your monies' worth in your bandwidth back as well
... apk
Hosts combined w/ OpenDNS compliment one other. I don't resolve 'every host-domain there is' via hosts, only my favorites @ top of hosts (20 of them beating indexing past 2++ million records).
THIS WHERE ANYONE SPENDS MOST OF THEIR TIME ONLINE! It's faster & more efficient than calling out to remote DNS servers.
The placement of favs for FAST RESOLUTION from memory (hosts are cached like any file is) additionally saves CPU cycles, RAM, + other forms of I/O by turning off the slower usermode clientside DNS cache service, instead opting for the kernelmode diskcache (no context switch overhead to the IP stack either this way).
The rest of my hosts files' entries are 3,782,195++ blocked entries vs. malware & ads of many kinds.
I use REMOTE (not locally here as a separate redundant wasteful recursive server or even as a service/daemon) FILTERING DNS SERVERS that help block out malicious sites/servers/hosts-domains via DNSBLs!
---
OpenDNS:
208.67.222.222
208.67.220.220
It's patched vs. the Kaminsky redirect poisoning security issue - 99.999% of ISP DNS aren't.
---
This LIGHTENS remote DNS server loads - admins of them should like that too!
How do I make my hosts?
APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...
FREE & adds speed, security, + reliability, doing more w/ less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining its data vs. online threats & adbanner blocking from 10 reputable sites in the security community!
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
APK
P.S.=> GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
... apk
Hosts combined w/ OpenDNS compliment one other. I don't resolve 'every host-domain there is' via hosts, only my favorites @ top of hosts (20 of them beating indexing past 2++ million records).
THIS WHERE ANYONE SPENDS MOST OF THEIR TIME ONLINE! It's faster & more efficient than calling out to remote DNS servers.
The placement of favs for FAST RESOLUTION from memory (hosts are cached like any file is) additionally saves CPU cycles, RAM, + other forms of I/O by turning off the slower usermode clientside DNS cache service, instead opting for the kernelmode diskcache (no context switch overhead to the IP stack either this way).
The rest of my hosts files' entries are 3,782,195++ blocked entries vs. malware & ads of many kinds.
I use REMOTE (not locally here as a separate redundant wasteful recursive server or even as a service/daemon) FILTERING DNS SERVERS that help block out malicious sites/servers/hosts-domains via DNSBLs!
---
OpenDNS:
208.67.222.222
208.67.220.220
It's patched vs. the Kaminsky redirect poisoning security issue - 99.999% of ISP DNS aren't.
---
This LIGHTENS remote DNS server loads - admins of them should like that too!
How do I make my hosts?
APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...
FREE & adds speed, security, + reliability, doing more w/ less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining its data vs. online threats & adbanner blocking from 10 reputable sites in the security community!
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
APK
P.S.=> GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
... apk
I'm not forgetting. Then again, that was also true for telnet back when I started setting up DNS zone transfers.... Just saying. :-)
Check out my sci-fi/humor trilogy at PatriotsBooks.
Hosts combined w/ OpenDNS compliment one other. I don't resolve 'every host-domain there is' via hosts, only my favorites @ top of hosts (20 of them beating indexing past 2++ million records).
THIS WHERE ANYONE SPENDS MOST OF THEIR TIME ONLINE! It's faster & more efficient than calling out to remote DNS servers.
The placement of favs for FAST RESOLUTION from memory (hosts are cached like any file is) additionally saves CPU cycles, RAM, + other forms of I/O by turning off the slower usermode clientside DNS cache service, instead opting for the kernelmode diskcache (no context switch overhead to the IP stack either this way).
The rest of my hosts files' entries are 3,782,195++ blocked entries vs. malware & ads of many kinds.
I use REMOTE (not locally here as a separate redundant wasteful recursive server or even as a service/daemon) FILTERING DNS SERVERS that help block out malicious sites/servers/hosts-domains via DNSBLs!
---
OpenDNS:
208.67.222.222
208.67.220.220
It's patched vs. the Kaminsky redirect poisoning security issue - 99.999% of ISP DNS aren't.
---
This LIGHTENS remote DNS server loads - admins of them should like that too!
How do I make my hosts?
APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...
FREE & adds speed, security, + reliability, doing more w/ less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining its data vs. online threats & adbanner blocking from 10 reputable sites in the security community!
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
APK
P.S.=> GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
... apk
Hosts combined w/ OpenDNS compliment one other. I don't resolve 'every host-domain there is' via hosts, only my favorites @ top of hosts (20 of them beating indexing past 2++ million records).
It's where ANYONE spends MOST OF THEIR TIME online - & it's faster + more efficient vs. calling to remote DNS servers.
Placement of favs thus, for FAST RESOLUTION from memory (hosts are cached like any file is), additionally saves CPU cycles, RAM, + I/O turning off the slower usermode clientside DNS cache service, instead opting for the kernelmode diskcache (no context switch overhead to the IP stack either this way).
The rest of my hosts files' entries are 3,782,195++ blocked entries vs. malware & ads of many kinds.
I use REMOTE FILTERING DNS SERVERS that help block out malicious sites/servers/hosts-domains via DNSBLs (not locally here as a separate redundant wasteful recursive server or a service/daemon).
---
OpenDNS:
208.67.222.222
208.67.220.220
Patched vs. Kaminsky redirect poisoning - 99.999% of ISP DNS aren't.
---
It LIGHTENS remote DNS loads - admins of 'em should like that!
How do I make my hosts (& do reverse dns pings for faster, more reliable, & safer connections)?
APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...
FREE & adds speed, security, + reliability, doing more w/ less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining data vs. online threats & adbanner blocking from 10 reputable sites in the security community!
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
APK
P.S.=> It's GUARANTEED safe per being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
... apk
Hosts combined w/ OpenDNS compliment one other. I don't resolve 'every host-domain there is' via hosts, only my favorites @ top of hosts (20 of them beating indexing past 2++ million records).
It's where ANYONE spends MOST OF THEIR TIME online - & it's faster + more efficient vs. calling to remote DNS servers.
Placement of favs thus, for FAST RESOLUTION from memory (hosts are cached like any file is), additionally saves CPU cycles, RAM, + I/O turning off the slower usermode clientside DNS cache service, instead opting for the kernelmode diskcache (no context switch overhead to the IP stack either this way).
The rest of my hosts files' entries are 3,782,195++ blocked entries vs. malware & ads of many kinds.
I use REMOTE FILTERING DNS SERVERS that help block out malicious sites/servers/hosts-domains via DNSBLs (not locally here as a separate redundant wasteful recursive server or a service/daemon).
---
OpenDNS:
208.67.222.222
208.67.220.220
Patched vs. Kaminsky redirect poisoning - 99.999% of ISP DNS aren't.
---
It LIGHTENS remote DNS loads - admins of 'em should like that!
How do I make my hosts (& do reverse dns pings for faster, more reliable, & safer connections)?
APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...
FREE & adds speed, security, + reliability, doing more w/ less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining data vs. online threats & adbanner blocking from 10 reputable sites in the security community!
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
APK
P.S.=> It's GUARANTEED safe per being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
... apk
Hosts combined w/ OpenDNS compliment one other. I don't resolve 'every host-domain there is' via hosts, only my favorites @ top of hosts (20 of them beating indexing past 2++ million records).
It's where ANYONE spends MOST OF THEIR TIME online - & it's faster + more efficient vs. calling to remote DNS servers.
Placement of favs thus, for FAST RESOLUTION from memory (hosts are cached like any file is), additionally saves CPU cycles, RAM, + I/O turning off the slower usermode clientside DNS cache service, instead opting for the kernelmode diskcache (no context switch overhead to the IP stack either this way).
The rest of my hosts files' entries are 3,782,195++ blocked entries vs. malware & ads of many kinds.
I use REMOTE FILTERING DNS SERVERS that help block out malicious sites/servers/hosts-domains via DNSBLs (not locally here as a separate redundant wasteful recursive server or a service/daemon).
---
OpenDNS:
208.67.222.222
208.67.220.220
Patched vs. Kaminsky redirect poisoning - 99.999% of ISP DNS aren't.
---
It LIGHTENS remote DNS loads - admins of 'em should like that!
How do I make my hosts (& do reverse dns pings for faster, more reliable, & safer connections)?
APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...
FREE & adds speed, security, + reliability, doing more w/ less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining data vs. online threats & adbanner blocking from 10 reputable sites in the security community!
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
APK
P.S.=> It's GUARANTEED safe per being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
... apk
Hosts combined w/ OpenDNS compliment one other. I don't resolve 'every host-domain there is' via hosts, only my favorites @ top of hosts (20 of them beating indexing past 2++ million records).
It's where ANYONE spends MOST OF THEIR TIME online - & it's faster + more efficient vs. calling to remote DNS servers.
Placement of favs thus, for FAST RESOLUTION from memory (hosts are cached like any file is), additionally saves CPU cycles, RAM, + I/O turning off the slower usermode clientside DNS cache service, instead opting for the kernelmode diskcache (no context switch overhead to the IP stack either this way).
The rest of my hosts files' entries are 3,782,195++ blocked entries vs. malware & ads of many kinds.
I use REMOTE FILTERING DNS SERVERS that help block out malicious sites/servers/hosts-domains via DNSBLs (not locally here as a separate redundant wasteful recursive server or a service/daemon).
---
OpenDNS:
208.67.222.222
208.67.220.220
Patched vs. Kaminsky redirect poisoning - 99.999% of ISP DNS aren't.
---
It LIGHTENS remote DNS loads - admins of 'em should like that!
How do I make my hosts (& do reverse dns pings for faster, more reliable, & safer connections)?
APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...
FREE & adds speed, security, + reliability, doing more w/ less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining data vs. online threats & adbanner blocking from 10 reputable sites in the security community!
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
APK
P.S.=> It's GUARANTEED safe per being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model also https://www.virustotal.com/en/...
... apk