BIND DNS Security Hole Workaround

This content 8 years old. Please, read this page keeping its age in mind along with the fact technology changes fast and the information on this page me be outdated, not best practice, or plain wrong.

There has been a recent discovery that affects BIND DNS servers.

A nameserver can be locked up if it can be induced to load a specially crafted combination of resource records.  CVE-2012-5166

To check your version, issue:

named -v

Affected BIND DNS server versions:

  • 9.2.x -> 9.6.x
  • 9.4-ESV->9.4-ESV-R5-P1
  • 9.6-ESV->9.6-ESV-R7-P3
  • 9.7.0->9.7.6-P3
  • 9.8.0->9.8.3-P3
  • 9.9.0->9.9.1-P3

Upgrading to one of the following corrects the problem

  • 9.7.7
  • 9.7.6-P4
  • 9.6-ESV-R8
  • 9.6-ESV-R7-P4
  • 9.8.4
  • 9.8.3-P4
  • 9.9.2
  • 9.9.1-P4
  • You can also work around the issue by setting a view or global option and setting minimal-responses to yes.

    Here’s an example screenshot of BIND9 configuration:

    BIND workaround for exploit

Comments

  1. Only wanna tell that this is very useful , Thanks for taking your time to write this. akedddeggbeb

Speak Your Mind

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.