BIND 9 Dynamic Update DoS Security Update

BIND 9 is an implementation of the Domain Name System (DNS) protocols. named daemon is an Internet Domain Name Server for UNIX like operating systems. Dynamic update messages may be used to update records in a master zone on a nameserver. When named receives a specially crafted dynamic update message an internal assertion check is triggered which causes named to exit. An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation. configuring named to ignore dynamic updates is NOT sufficient to protect it from this vulnerability. This exploit is public. Please upgrade immediately.

Our hosting provider seems to come under DoS attack too at the same time and their DNS server went down for couple of hours. So you may see some part of our site may not working, especially our css, js and image files comes from our service providers servers which are affected by BIND server problem.

Red Hat claims that the exploit does not affect BIND servers that do not allow dynamic updates, but the ISC claims it does affects the all versions of BIND 9. However, another update from Red hat claimed that:

Updates with similar patch are undergoing quality assurance testing now and will be released as soon as they are fully tested.

How Do I Fix This Under Debian / Ubuntu Linux?

Upgrade your vulnerable package using the following commands:
# apt-get update
# apt-get upgrade
# /etc/init.d/bind9 restart

How Do I Fix This Under FreeBSD Operating System v6x and v7.x?

To patch your system download the relevant patch from the FreeBSD below, and verify the detached PGP signature using your PGP utility.
# cd /tmp
# fetch
# fetch
# cd /usr/src
# patch < /tmp/bind.patch # cd /usr/src/lib/bind # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install # /etc/rc.d/named restart # rm /tmp/bind.patch

How Do I Patch RHEL / Fedora / CentOS Linux Server?

Red Hat / CentOS specific patch is available here.

Update, Jul 30, 1:31: Updated bind packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. You can grab the same from RHN or simply running the following command at a shell prompt:
# yum update

CentOS Linux use will get the same in day or two.

Other Suggestions

This slashdot user suggested use of the following iptables rules via U32 matching module:

iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'

Another user at Red hat support site suggested the following workaround:

Based on the original advisory, this appears to affect only "master" servers. One standard best practice is to have one master and multiple slaves and to protect that master (no exposure to the Internet). This would seem to be a mitigation. This is a BCP (Best Common Practice) for those of us who have been doing this for years.

Another option is to use DJBDNS DNS server.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 7 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
7 comments… add one
  • Christopher Jul 29, 2009 @ 18:52

    Any word on when Redhat/CentOS will be releasing a RPM and/or yum repo update for this issue?

  • 🐧 nixCraft Jul 29, 2009 @ 20:04


    Red Hat just released the updated version. Grab it from RHN or just run yum update.

  • Christopher Jul 29, 2009 @ 20:10

    Any word on CentOS?

  • 🐧 nixCraft Jul 29, 2009 @ 20:37

    Good news. CentOS just rolled out updated version 😀 Open /etc/yum.repos.d/CentOS-Base.repo and find released updates section. Comment mirrorlist and comment out baseurl. It should look as follows:

    #released updates
    name=CentOS-$releasever - Updates

    Save and close the file. And run the following:

    yum clean all
    yum update


     Package                              Arch                            Version                                          Repository                        Size
     bind                                 x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                          961 k
     bind-chroot                          x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                           42 k
     bind-libs                            x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                          869 k
     bind-utils                           x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                          173 k
    Transaction Summary
    Install      0 Package(s)
    Update       4 Package(s)
    Remove       0 Package(s)

    Finally revert back changes made to /etc/yum.repos.d/CentOS-Base.repo.


  • Tyler Jul 30, 2009 @ 5:02

    The update it our repo and was deployed. The majority of IPS providers including Cisco, ISS and Tipping Point have been overly slow in releasing a DV update for this.

  • 🐧 nixCraft Jul 30, 2009 @ 6:53


    I saw that on one of our site, I had to update CentOS-Base.repo to point out to main base url instead of mirror.

  • xxra3edxx Jul 30, 2009 @ 12:55

    i have a problem with “yum update”

    can you help me

    Loaded plugins: fastestmirror
    Determining fastest mirrors
    google | 951 B 00:00
    primary.xml.gz | 2.3 kB 00:00
    google 2/2
    google64 | 951 B 00:00
    primary.xml.gz | 991 B 00:00
    google64 1/1 [Errno 4] IOError:
    Trying other mirror.
    Error: Cannot retrieve repository metadata (repomd.xml) for repository: base. Please verify its path and try again


Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum