Threat Level: green Handler on Duty: Russ McRee

SANS ISC: DNS security & new BIND releases SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DNS security & new BIND releases

Last Thursday, the Internet Systems Consortium released new versions of the popular BIND DNS server software. The new releases, 9.2.8, 9.3.4 and 9.4.0rc2 contain fixes for two security vulnerabilities that were identified early January.

The first vulnerability, assigned CVE-2007-0494, is only exploitable in those BIND configurations that use DNSSEC validation through the use of trusted-keys. During the validation of responses to type * (ANY) queriesthat returns multiple RRsets certain assertion checks can be triggered (which could cause the daemon to exit). This is still a fairly low impact vulnerability – the SECspider at UCLA only knows of 722 DNSSEC enabled zones on the internet.

In the second vulnerability, assigned CVE-2007-0493, certain requests could cause named, the actual DNS server of the BIND software, to read a freed fetch context. This would cause named to exit, allowing a remote attacker to perform a DoS attack against the server.

The impact of many DNS vulnerabilities can be mitigated by using best practices in the design of a DNS architecture. For example, disabling the ability of external users to run recursive lookups against your servers can simultaneously limit the scope of the above vulnerabilities, increase performance for legitimate users and prevent your servers from being used in an amplification denial-of-service attack. Nevertheless, measurements by the Measurement Factory show that as recently as August 2006, 52% of all DNS servers on the internet still allowed recursion by clients outside of their administrative domain.

Even though these specific vulnerabilities are ranked as low impact, if there’s one security improvement you consider this week, make it a thorough check of your public DNS servers – do they allow functionality that isn’t required, such as open recursion? The NIST has an excellent document on implementing secure DNS, and Team Cymru's Secure BIND template can prove most useful.

The Center for Internet Security has a template available as well.


Maarten Van Horenbeeck


158 Posts
Jan 29th 2007

Sign Up for Free or Log In to start participating in the conversation!