BIND 9 Dynamic Update DoS Security Update

last updated in Categories BIND Dns, CentOS, Debian Linux, fedora linux, FreeBSD, Howto, Linux, Networking, package management, RedHat/Fedora Linux, Security, Solaris, Suse Linux, Sys admin, UNIX, Windows server

BIND 9 is an implementation of the Domain Name System (DNS) protocols. named daemon is an Internet Domain Name Server for UNIX like operating systems. Dynamic update messages may be used to update records in a master zone on a nameserver. When named receives a specially crafted dynamic update message an internal assertion check is triggered which causes named to exit. An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation. configuring named to ignore dynamic updates is NOT sufficient to protect it from this vulnerability. This exploit is public. Please upgrade immediately.

Our hosting provider seems to come under DoS attack too at the same time and their DNS server went down for couple of hours. So you may see some part of our site may not working, especially our css, js and image files comes from our service providers servers which are affected by BIND server problem.


Red Hat claims that the exploit does not affect BIND servers that do not allow dynamic updates, but the ISC claims it does affects the all versions of BIND 9. However, another update from Red hat claimed that:

Updates with similar patch are undergoing quality assurance testing now and will be released as soon as they are fully tested.

How Do I Fix This Under Debian / Ubuntu Linux?

Upgrade your vulnerable package using the following commands:
# apt-get update
# apt-get upgrade
# /etc/init.d/bind9 restart

How Do I Fix This Under FreeBSD Operating System v6x and v7.x?

To patch your system download the relevant patch from the FreeBSD below, and verify the detached PGP signature using your PGP utility.
# cd /tmp
# fetch
# fetch
# cd /usr/src
# patch < /tmp/bind.patch # cd /usr/src/lib/bind # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install # /etc/rc.d/named restart # rm /tmp/bind.patch

How Do I Patch RHEL / Fedora / CentOS Linux Server?

Red Hat / CentOS specific patch is available here.

Update, Jul 30, 1:31: Updated bind packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. You can grab the same from RHN or simply running the following command at a shell prompt:
# yum update

CentOS Linux use will get the same in day or two.

Other Suggestions

This slashdot user suggested use of the following iptables rules via U32 matching module:

iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'

Another user at Red hat support site suggested the following workaround:

Based on the original advisory, this appears to affect only "master" servers. One standard best practice is to have one master and multiple slaves and to protect that master (no exposure to the Internet). This would seem to be a mitigation. This is a BCP (Best Common Practice) for those of us who have been doing this for years.

Another option is to use DJBDNS DNS server.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.


7 comment

  1. Good news. CentOS just rolled out updated version 😀 Open /etc/yum.repos.d/CentOS-Base.repo and find released updates section. Comment mirrorlist and comment out baseurl. It should look as follows:

    #released updates
    name=CentOS-$releasever - Updates

    Save and close the file. And run the following:

    yum clean all
    yum update


     Package                              Arch                            Version                                          Repository                        Size
     bind                                 x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                          961 k
     bind-chroot                          x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                           42 k
     bind-libs                            x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                          869 k
     bind-utils                           x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                          173 k
    Transaction Summary
    Install      0 Package(s)
    Update       4 Package(s)
    Remove       0 Package(s)

    Finally revert back changes made to /etc/yum.repos.d/CentOS-Base.repo.


  2. The update it our repo and was deployed. The majority of IPS providers including Cisco, ISS and Tipping Point have been overly slow in releasing a DV update for this.

  3. @Tyler,

    I saw that on one of our site, I had to update CentOS-Base.repo to point out to main base url instead of mirror.

  4. i have a problem with “yum update”

    can you help me

    Loaded plugins: fastestmirror
    Determining fastest mirrors
    google | 951 B 00:00
    primary.xml.gz | 2.3 kB 00:00
    google 2/2
    google64 | 951 B 00:00
    primary.xml.gz | 991 B 00:00
    google64 1/1 [Errno 4] IOError:
    Trying other mirror.
    Error: Cannot retrieve repository metadata (repomd.xml) for repository: base. Please verify its path and try again


Leave a Comment