BIND DNS Security Hole Workaround

This article was posted more than 1 year ago. Please keep in mind that the information on this page may be outdated, insecure, or just plain wrong today.

There has been a recent discovery that affects BIND DNS servers.

A nameserver can be locked up if it can be induced to load a specially crafted combination of resource records.  CVE-2012-5166

To check your version, issue:

named -v

Affected BIND DNS server versions:

  • 9.2.x -> 9.6.x
  • 9.4-ESV->9.4-ESV-R5-P1
  • 9.6-ESV->9.6-ESV-R7-P3
  • 9.7.0->9.7.6-P3
  • 9.8.0->9.8.3-P3
  • 9.9.0->9.9.1-P3

Upgrading to one of the following corrects the problem

  • 9.7.7
  • 9.7.6-P4
  • 9.6-ESV-R8
  • 9.6-ESV-R7-P4
  • 9.8.4
  • 9.8.3-P4
  • 9.9.2
  • 9.9.1-P4
  • You can also work around the issue by setting a view or global option and setting minimal-responses to yes.
    Here’s an example screenshot of BIND9 configuration:

    BIND workaround for exploit