Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Patch for BIND 9.8.0 DoS Vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Patch for BIND 9.8.0 DoS Vulnerability

The other ISC ( released a patch for BIND 9.8.0. The new version, 9.8.0-P1 [1] fixes a flaw that can lead to a server crash [2]. Only version 9.8.0 is vulnerable, and only if RPZ (response policy zone) is configured.

RPZ is a new feature introduced in BIND 9.8.0. This feature allows recursive name servers to selectively modify responses according to local policies. Usually, recursive name servers will not modify responses, but just forward them to the host that sent the original request. 

In order to use RPZ in BIND 9.8.0, it has to be compiled with the "--enable-rpz-nsip" or the "--enable-rpz-nsdname" option. These options make a new configuration direction available: "response-policy".

Four different policies can be used:

1. NXDOMAIN : replace all NXDOMAIN responses with a single CNAME record. This can be used to redirect users to a default host.

2. NODATA: similar to NXDOMAIN but can be used to redirect to a wildcard record.

3. NO-OP: Does nothing, and can be used to define exceptions for which NODATA/NXDOMAIN should not apply.

4. CNAME: replaces responses that return actual data other then NXDOMAIN. This can be used to apply block lists.

To configure this feature, you define a "response-policy" zone, and then the zone file will list the detailed policies. For more details, see section of the BIND 9.8 administrator reference manual [3].


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4510 Posts
ISC Handler
May 9th 2011

Sign Up for Free or Log In to start participating in the conversation!