Patch for BIND 9.8.0 DoS Vulnerability

Published: 2011-05-09
Last Updated: 2011-05-09 19:55:06 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

The other ISC ( released a patch for BIND 9.8.0. The new version, 9.8.0-P1 [1] fixes a flaw that can lead to a server crash [2]. Only version 9.8.0 is vulnerable, and only if RPZ (response policy zone) is configured.

RPZ is a new feature introduced in BIND 9.8.0. This feature allows recursive name servers to selectively modify responses according to local policies. Usually, recursive name servers will not modify responses, but just forward them to the host that sent the original request. 

In order to use RPZ in BIND 9.8.0, it has to be compiled with the "--enable-rpz-nsip" or the "--enable-rpz-nsdname" option. These options make a new configuration direction available: "response-policy".

Four different policies can be used:

1. NXDOMAIN : replace all NXDOMAIN responses with a single CNAME record. This can be used to redirect users to a default host.

2. NODATA: similar to NXDOMAIN but can be used to redirect to a wildcard record.

3. NO-OP: Does nothing, and can be used to define exceptions for which NODATA/NXDOMAIN should not apply.

4. CNAME: replaces responses that return actual data other then NXDOMAIN. This can be used to apply block lists.

To configure this feature, you define a "response-policy" zone, and then the zone file will list the detailed policies. For more details, see section of the BIND 9.8 administrator reference manual [3].


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: bind dns rpz
0 comment(s)


Diary Archives