≡ Menu

domain name service

Security Alert: BIND9 DNS Cache Poisoning Bug

An unpatched security hole in BIND 9 package could be used by attackers to poison your DNS cache. Attacker to take control of all hosted domains and can can lead to misdirected web traffic and email rerouting.

This update changes Debian's BIND 9 packages to implement the recommended countermeasure: UDP query source port randomization. This change increases the size of the space from which an attacker has to guess values in a backwards-compatible fashion and makes successful attacks significantly more difficult.


  • Package : bind9
  • Vulnerability : DNS cache poisoning
  • Problem type : remote
  • Debian-specific: no
  • CVE Id(s) : CVE-2008-1447
  • CERT advisory : VU#800113

How do I fix BIND9 bug under Debian Linux?

Install the BIND 9 upgrade, using following commands, enter:
# apt-get update
# apt-get install bind9

Sample output:

Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  libdns22 libisc11 libisccc0 libisccfg1
Suggested packages:
The following packages will be upgraded:
  bind9 libdns22 libisc11 libisccc0 libisccfg1
5 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
Need to get 1267kB of archives.
After unpacking 4096B disk space will be freed.
Do you want to continue [Y/n]? y
Get:1 http://security.debian.org stable/updates/main bind9 1:9.3.4-2etch3 [319kB]
Get:2 http://security.debian.org stable/updates/main libisc11 1:9.3.4-2etch3 [188kB]
Get:3 http://security.debian.org stable/updates/main libisccc0 1:9.3.4-2etch3 [96.7kB]
Get:4 http://security.debian.org stable/updates/main libisccfg1 1:9.3.4-2etch3 [111kB]
Get:5 http://security.debian.org stable/updates/main libdns22 1:9.3.4-2etch3 [552kB]
Fetched 1267kB in 1s (724kB/s)
Reading changelogs... Done
(Reading database ... 27244 files and directories currently installed.)
Preparing to replace bind9 1:9.3.4-2etch1 (using .../bind9_1%3a9.3.4-2etch3_amd64.deb) ...
Stopping domain name service...: bind.
Unpacking replacement bind9 ...
Preparing to replace libisc11 1:9.3.4-2etch1 (using .../libisc11_1%3a9.3.4-2etch3_amd64.deb) ...
Unpacking replacement libisc11 ...
Preparing to replace libisccc0 1:9.3.4-2etch1 (using .../libisccc0_1%3a9.3.4-2etch3_amd64.deb) ...
Unpacking replacement libisccc0 ...
Preparing to replace libisccfg1 1:9.3.4-2etch1 (using .../libisccfg1_1%3a9.3.4-2etch3_amd64.deb) ...
Unpacking replacement libisccfg1 ...
Preparing to replace libdns22 1:9.3.4-2etch1 (using .../libdns22_1%3a9.3.4-2etch3_amd64.deb) ...
Unpacking replacement libdns22 ...
Setting up libisc11 (9.3.4-2etch3) ...
Setting up libdns22 (9.3.4-2etch3) ...
Setting up libisccc0 (9.3.4-2etch3) ...
Setting up libisccfg1 (9.3.4-2etch3) ...
Setting up bind9 (9.3.4-2etch3) ...
Configuration file `/etc/bind/db.root'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : background this process to examine the situation
 The default action is to keep your current version.
*** db.root (Y/I/N/O/D/Z) [default=N] ? y
Installing new version of config file /etc/bind/db.root ...
Starting domain name service...: bind.

Also, verify that source port randomization is active. Check that the /var/log/daemon.log file does not contain messages of the following form:

 named[6106]: /etc/bind/named.conf.options:28: using specific
    query-source port suppresses port randomization and can be insecure.

If you see message replace replace the port numbers contained within them with "*" sign (e.g.,
replace "port 53" with "port *") in /etc/bind/named.conf.option file.

How do I fix this issue under Red Hat Linux / RHEL ?

Simply type the command, enter:
# yum update

RIP: BIND 8 under Debian 4.x

Debian team also posted BIND 8 deprecation notice. From the announcement:

The BIND 8 legacy code base could not be updated to include the recommended countermeasure (source port randomization, see DSA-1603-1 for details). There are two ways to deal with this situation:

1. Upgrade to BIND 9 (or another implementation with source port randomization). The documentation included with BIND 9 contains a migration guide.

2. Configure the BIND 8 resolver to forward queries to a BIND 9 resolver. Provided that the network between both resolvers is trusted, this protects the BIND 8 resolver from cache poisoning attacks (to the same degree that the BIND 9 resolver is protected).

This problem does not apply to BIND 8 when used exclusively as an authoritative DNS server. It is theoretically possible to safely use BIND 8 in this way, but updating to BIND 9 is strongly recommended.
BIND 8 (that is, the bind package) will be removed from the etch distribution in a future point release.

The domain name service provided by BIND (named) software. It uses both UDP and TCP protocol and listen on port 53. DNS queries less than 512 bytes are transferred using UDP protocol and large queries are handled by TCP protocol such as zone transfer.

i) named/bind server – TCP/UDP port 53

ii)Client (browser, dig etc) – port > 1023

Allow outgoing DNS client request:

Following iptables rules can be added to your shell script.

SERVER_IP is your server ip address

DNS_SERVER stores the nameserver (DNS) IP address provided by ISP or your own name servers.

Following rules are useful when you run single web/smtp server or even DSL/LL/dialup Internet connections:

for ip in $DNS_SERVER
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT-p tcp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

(B) Allow incoming DNS request at port 53:

Use following rules only if you are protecting dedicated DNS server.

SERVER_IP is IP address where BIND(named) is listing on port 53 for incoming DNS queries.

Please note that here I'm not allowing TCP protocol as I don't have secondary DNS server to do zone transfer.

iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 53 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT

Please note if you have secondary server, add following rules to above rules so that secondary server can do zone transfer from primary DNS server:

iptables -A INPUT -p tcp -s $DNS2_IP --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 53 -d $DNS2_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Linux: Setup as DNS Client / Name Server IP Address

Many new Linux user finds it difficult to setup / modify new name server address (NS1 / NS2).

Local name resolution is done via /etc/hosts file. If you have small network, use /etc/hosts file. DNS (domain name service is accountable for associating domain names with ip address, for example domain yahoo.com is easy to remember than IP address provides better name resolution. To configure Linux as DNS client you need to edit or modify /etc/resolv.conf file. This file defines which name servers to use. You want to setup Linux to browse net or run network services like www or smtp; then you need to point out to correct ISP DNS servers:

/etc/resolv.conf file

In Linux and Unix like computer operating systems, the /etc/resolv.conf configuration file contains information that allows a computer connected to the Internet to convert alpha-numeric names into the numeric IP addresses that are required for access to external network resources on the Internet. The process of converting domain names to IP addresses is called "resolving."

The resolv.conf file typically contains the IP addresses of nameservers (DNS name resolvers) that attempt to translate names into addresses for any node available on the network.

Setup DNS Name resolution

Steps to configure Linux as DNS client, first login as a root user (use su command):

Step # 1: Open /etc/resolv.conf file:

# vi /etc/resolv.conf

Step #2: Add your ISP nameserver as follows:

search isp.com

Note Max. three nameserver can be used/defined at a time.

Step # 3:Test setup nslookup or dig command:

$ dig www.nixcraft.com
$ nslookup www.nixcraft.com

See also: