BIND 9 Dynamic Update DoS Security Update

Posted on in Categories BIND Dns, CentOS, Debian Linux, fedora linux, FreeBSD, Howto, Linux, Networking, package management, RedHat/Fedora Linux, Security, Solaris, Suse Linux, Sys admin, UNIX, Windows server last updated July 29, 2009

BIND 9 is an implementation of the Domain Name System (DNS) protocols. named daemon is an Internet Domain Name Server for UNIX like operating systems. Dynamic update messages may be used to update records in a master zone on a nameserver. When named receives a specially crafted dynamic update message an internal assertion check is triggered which causes named to exit. An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation. configuring named to ignore dynamic updates is NOT sufficient to protect it from this vulnerability. This exploit is public. Please upgrade immediately.

Our hosting provider seems to come under DoS attack too at the same time and their DNS server went down for couple of hours. So you may see some part of our site may not working, especially our css, js and image files comes from our service providers servers which are affected by BIND server problem.

Red Hat claims that the exploit does not affect BIND servers that do not allow dynamic updates, but the ISC claims it does affects the all versions of BIND 9. However, another update from Red hat claimed that:

Updates with similar patch are undergoing quality assurance testing now and will be released as soon as they are fully tested.

How Do I Fix This Under Debian / Ubuntu Linux?

Upgrade your vulnerable package using the following commands:
# apt-get update
# apt-get upgrade
# /etc/init.d/bind9 restart

How Do I Fix This Under FreeBSD Operating System v6x and v7.x?

To patch your system download the relevant patch from the FreeBSD below, and verify the detached PGP signature using your PGP utility.
# cd /tmp
# fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch
# fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch.asc
# cd /usr/src
# patch < /tmp/bind.patch # cd /usr/src/lib/bind # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install # /etc/rc.d/named restart # rm /tmp/bind.patch

How Do I Patch RHEL / Fedora / CentOS Linux Server?

Red Hat / CentOS specific patch is available here.

Update, Jul 30, 1:31: Updated bind packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. You can grab the same from RHN or simply running the following command at a shell prompt:
# yum update

CentOS Linux use will get the same in day or two.

Other Suggestions

This slashdot user suggested use of the following iptables rules via U32 matching module:

iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'

Another user at Red hat support site suggested the following workaround:

Based on the original advisory, this appears to affect only "master" servers. One standard best practice is to have one master and multiple slaves and to protect that master (no exposure to the Internet). This would seem to be a mitigation. This is a BCP (Best Common Practice) for those of us who have been doing this for years.

Another option is to use DJBDNS DNS server.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

7 comment

  1. Good news. CentOS just rolled out updated version 😀 Open /etc/yum.repos.d/CentOS-Base.repo and find released updates section. Comment mirrorlist and comment out baseurl. It should look as follows:

    #released updates
    [updates]
    name=CentOS-$releasever - Updates
    #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
    baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

    Save and close the file. And run the following:

    yum clean all
    yum update

    Outputs:

    ==============================================================================================================================================================
     Package                              Arch                            Version                                          Repository                        Size
    ==============================================================================================================================================================
    Updating:
     bind                                 x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                          961 k
     bind-chroot                          x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                           42 k
     bind-libs                            x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                          869 k
     bind-utils                           x86_64                          30:9.3.4-10.P1.el5_3.3                           updates                          173 k
    
    Transaction Summary
    ==============================================================================================================================================================
    Install      0 Package(s)
    Update       4 Package(s)
    Remove       0 Package(s)
    
    
    

    Finally revert back changes made to /etc/yum.repos.d/CentOS-Base.repo.

    HTH

  2. i have a problem with “yum update”

    can you help me

    Loaded plugins: fastestmirror
    Determining fastest mirrors
    google | 951 B 00:00
    primary.xml.gz | 2.3 kB 00:00
    google 2/2
    google64 | 951 B 00:00
    primary.xml.gz | 991 B 00:00
    google64 1/1
    http://centos.mirror.cust.lstn.net/5/os/x86_64/repodata/repomd.xml: [Errno 4] IOError:
    Trying other mirror.
    Error: Cannot retrieve repository metadata (repomd.xml) for repository: base. Please verify its path and try again

    thnx

Leave a Comment