Q. BIND 9 is part of core FreeBSD 7.x. How do I apply BIND 9 security patch under FreeBSD 7.x? Do I need to fetch entire source (buildworld) to patch BIND 9? How do I patch up recent BIND 9 DNS cache poisoning bug?
A. No, you don't have to fetch entire source to patch up BIND 9 if you are running latest stable (6-STABLE or 7-STABLE). The BIND DNS implementation does not randomize the UDP source port when doing remote queries, and the query id alone does not provide adequate randomization.
To fix this issue under FreeBSD 6.3, download patch:
# cd /tmp
# fetch -o bind.patch http://security.FreeBSD.org/patches/SA-08:06/bind63.patch
If you are using FreeBSD 7.0, enter:
# cd /tmp
# fetch -o bind.patch http://security.FreeBSD.org/patches/SA-08:06/bind7.patch
Type the following commands to compile and install bind 9 patch:
# cd /usr/src
# patch < /tmp/bind.patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
Restart bind 9:
# /etc/rc.d/named restart
# tail -f /var/log/messages
- Email FAQ to a friend
- Printable version
- Rss Feed
- Last Updated: 7-17-08
{ 7 comments… read them below or add one }
Since you’re upgrading BIND, you might as well upgrade rndc, too. How about adding this to your “make” section?
# cd /usr/src/usr.sbin/rndc
# make obj && make depend && make && make install
I have this error while patching my DNS on freeBSD.
RyAn,
Do you have up to date FreeBSD source tree?
i’m also getting the same error as RyAn. new install of fbsd 7, minimal. how do i run the patch without having to to a cvsup and blowing the whole point of having a minimal install?
jimbo,
There is binary update method, it will only work if you are not using custom kernel.
how do i do the binary update?
Use freebsd-update command which is used to fetch, install, and rollback binary updates to the FreeBSD base system. You can also use sysinstall to update system. Read man pages for further information.