Slashdot Mirror
Critical BIND Denial-of-Service Flaw Could Take Down DNS Servers
alphadogg writes: Attackers could exploit a new vulnerability in BIND, the most popular Domain Name System (DNS) server software, to disrupt the Internet for many users. The vulnerability affects all versions of BIND 9, from BIND 9.1.0 to BIND 9.10.2-P2, and can be exploited to crash DNS servers that are powered by the software. The vulnerability announced and patched by the Internet Systems Consortium is critical because it can be used to crash both authoritative and recursive DNS servers with a single packet.
I noticed this on Google News yesterday - checked a CentOS 7 box to find that yum had installed the patch overnight on 7/28 and systemd had restarted named for me. Good work, everybody. Make sure your updates are working.
Oh, hai dollar-short Slashdot.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Patched updates rolled out long before /. reported it (shock, horror).
If Debian is any guide most distros have already done the same and anyone running unattended-updates for security patches has been updated for several days (25th).
The US Gov knew and published this on the 28th. Way to be 3 days late, an no doubt why /. is more than a dollar short.
https://www.us-cert.gov/ncas/current-activity
Fine. You go write a DNS server and see how horribly bug your shit is. (hint: DNS is a *complicated* protocol)
Now imagine if Windows had done the same thing. Slashdot would be in an uproar.
First I need to imagine it's that Tuesday of the month. [shuts eyes] Nope, doesn't work (maybe it's the same with wishful "thunking"?).
No it isn't... it's one of the oldest and simplest protocols around you freetard. And the fact that BIND still has exploitable bugs on a protocol that is decades old shows how terrible freetard are at programming.
*cough* That coward was being ironic. Whether it was intentional or not is beside the point. It was nice satire too.
You'd think the version number might be a clue. Oh wait... this is /. The entrance requirement is an internet connection and a keyboard.
Instituting one of those simple math question robot checks would double the signal:noise ratio - and reduce the advertising revenue by 70% (I'm allowing for the adblock users).
I want to block you guys with a hosts file entry. Hosts file entries are for APK. AAAAAAAAPPPPPPPPKKKKKKKK!
You guys are fucking hilarious.
Eh.... probably not, actually.
But these two from yesterday definitely were:
On Linux, $550 Radeon R9 Fury Competes With $200~350 NVIDIA GPUs
Windows 10 App For Xbox One Could Render Steam Machines Useless
I've never understood why DNS servers bother with zone transfers. These days, it would take an average admin three minutes to toss together something involving a cron job, rsync, and ssh that would do the same job without adding all that extra code and the extra attack surface that comes along with it. Heck, with access to platform-specific file system event APIs, you could probably come up with something that worked a lot better, up to and including near-instantaneous updates. That entire feature just seems like pure bloat, and that's coming from somebody who actually uses zone transfers....
Check out my sci-fi/humor trilogy at PatriotsBooks.
Now imagine if Windows had done the same thing. Slashdot would be in an uproar.
Bullshit, stop trolling. When Microsoft releases a patch which doesn't break anything, nobody complains. It's when they release "patches" which alter the behavior of the operating system in undesirable ways that we get our knickers twisted.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I've never understood why DNS servers bother with zone transfers.
Yes, and many people disable them, and some DNS servers don't even have the functionality.
Heck, with access to platform-specific file system event APIs, you could probably come up with something that worked a lot better, up to and including near-instantaneous updates.
Well, obviously if you have a system of any complexity, you should be stuffing the records into a database and then generating the zone files from that. You can handle your replication at that level. Give your serial numbers meaning (As a timestamp, typically) to avoid issues there.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
A heads up for those running CentOS 6.6. This issue is not patched by default (because CentOS is in the midst of the transition from 6.6 to 6.7). Sysadmins using bog-standard CentOS 6.6 bind will need to enable the continuous release (CR) repository and update bind using that.
See the CentOS 6 Security Support forum post CVE-2015-5477 patch for centos 6
Wondering if this issue is serious enough to warrant the CentOS folk putting some patched bind rpms in the CentOS 6.6 updates repo? My guess is that a lot of people might miss the patch otherwise.
Don't you just long for the days when sendmail and bind would be always in the news because of some flaw or other? Heck, didn't we all run alternatives because sendmail and bind were so buggy...
How long has it been since we last had a Bind security issue...
"I've never understood why DNS servers bother with zone transfers. These days, it would take an average admin three minutes to toss together something involving a cron job, rsync, and ssh"
So if you are an ISP providing a secondary DNS service, you're happy to create accounts with ssh/rsync access for 10 000 customers who all have more lax security than you do?
Talk about attack surface ... (even with forced command etc.).
That said, assuning the complexity isn't in serving thr afxr requests, I see no reason why the function to retrieve the zone needs to be inside the daemon listening on port 53. Of course it would need to trigger transfers based on notifies, but that could be done quite easily (a simple file or a named socket).
That's why I'm writing my own. Nope, I'm not kidding. It's called fDns and will probably be the fastest authority DNS server there is.
I'm using C with LMDB. Think of it as Tinydns on steroids. With Lua.
Right, it's because Centos 6.7 hasn't been released yet and Red Hat has't made upgrade for RHEL 6.6.
Thus if you had RHEL 6.6 and hadn't yet upgraded 6.7 you would have same situation.
But, fortunately there is a solution available, which you may choose to take. Upgrade to continuous release version and get upgrades from there before official point release is available.
What you need to do is simply
# yum install centos-release-cr
Make sure you have enough free space available for several hundred packaces (/var/cache/yum/) and doing 6.6 to CR-upgrade which is quite close to 6.7, then
# yum clean all
# yum upgrade
Then it's probably a good idea to boot after that, too get new kernel etc. stuff
Cheers,
ac
This kind of information is usually avalable from the mailing list & archives of the list for the release you use, as the case here too. There you have answer , check the thread and read CR wiki page pointed from that answer, please.
Bind has been rewritten practically from scratch multiple times. This has strangely not helped security as much as one would hope...
To be fair, at least they are mostly DoS bugs, not root-in-one-packet like in the good old days. At least we hope they are.
Finally! A year of moderation! Ready for 2019?
Sure. You give them all a shell account with access to their own zone files, and you require them to provide a public key for authentication (no passwords to attack). Then, you have a separate process that watches for changes and updates the official zone files that the daemon reads. Clearly, a daemon that has write access to all of the zone files is inherently less safe than a series of ssh accounts, each with access to only a single user's files, coupled with a daemon that has only read-only access to copies of the original zone files.
Check out my sci-fi/humor trilogy at PatriotsBooks.
:LISP can build, index, update and use GIANT HOSTS FILES
You lose! Grovel like a worm before the Queen of Programming Languages(TM)!!
I'm not forgetting. Then again, that was also true for telnet back when I started setting up DNS zone transfers.... Just saying. :-)
Check out my sci-fi/humor trilogy at PatriotsBooks.