DNS security & new BIND releases

Published: 2007-01-28
Last Updated: 2007-01-29 21:14:06 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

Last Thursday, the Internet Systems Consortium released new versions of the popular BIND DNS server software. The new releases, 9.2.8, 9.3.4 and 9.4.0rc2 contain fixes for two security vulnerabilities that were identified early January.

The first vulnerability, assigned CVE-2007-0494, is only exploitable in those BIND configurations that use DNSSEC validation through the use of trusted-keys. During the validation of responses to type * (ANY) queriesthat returns multiple RRsets certain assertion checks can be triggered (which could cause the daemon to exit). This is still a fairly low impact vulnerability – the SECspider at UCLA only knows of 722 DNSSEC enabled zones on the internet.

In the second vulnerability, assigned CVE-2007-0493, certain requests could cause named, the actual DNS server of the BIND software, to read a freed fetch context. This would cause named to exit, allowing a remote attacker to perform a DoS attack against the server.

The impact of many DNS vulnerabilities can be mitigated by using best practices in the design of a DNS architecture. For example, disabling the ability of external users to run recursive lookups against your servers can simultaneously limit the scope of the above vulnerabilities, increase performance for legitimate users and prevent your servers from being used in an amplification denial-of-service attack. Nevertheless, measurements by the Measurement Factory show that as recently as August 2006, 52% of all DNS servers on the internet still allowed recursion by clients outside of their administrative domain.

Even though these specific vulnerabilities are ranked as low impact, if there’s one security improvement you consider this week, make it a thorough check of your public DNS servers – do they allow functionality that isn’t required, such as open recursion? The NIST has an excellent document on implementing secure DNS, and Team Cymru's Secure BIND template can prove most useful.

The Center for Internet Security www.cisecurity.org has a template available as well.


Maarten Van Horenbeeck

0 comment(s)


Diary Archives