Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Patch for BIND 9.8.0 DoS Vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Patch for BIND 9.8.0 DoS Vulnerability

The other ISC (isc.org) released a patch for BIND 9.8.0. The new version, 9.8.0-P1 [1] fixes a flaw that can lead to a server crash [2]. Only version 9.8.0 is vulnerable, and only if RPZ (response policy zone) is configured.

RPZ is a new feature introduced in BIND 9.8.0. This feature allows recursive name servers to selectively modify responses according to local policies. Usually, recursive name servers will not modify responses, but just forward them to the host that sent the original request. 

In order to use RPZ in BIND 9.8.0, it has to be compiled with the "--enable-rpz-nsip" or the "--enable-rpz-nsdname" option. These options make a new configuration direction available: "response-policy".

Four different policies can be used:

1. NXDOMAIN : replace all NXDOMAIN responses with a single CNAME record. This can be used to redirect users to a default host.

2. NODATA: similar to NXDOMAIN but can be used to redirect to a wildcard record.

3. NO-OP: Does nothing, and can be used to define exceptions for which NODATA/NXDOMAIN should not apply.

4. CNAME: replaces responses that return actual data other then NXDOMAIN. This can be used to apply block lists.

To configure this feature, you define a "response-policy" zone, and then the zone file will list the detailed policies. For more details, see section 6.2.6.20 of the BIND 9.8 administrator reference manual [3].

[1] http://ftp.isc.org/isc/bind9/9.8.0-P1/RELEASE-NOTES-BIND-9.8.0-P1.html
[2] http://www.isc.org/CVE-2011-1907
[3] http://ftp.isc.org/isc/bind/9.8.0/doc/arm/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Brussels September 2019

Johannes

3603 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!