There has been a recent discovery that affects BIND DNS servers.
A nameserver can be locked up if it can be induced to load a specially crafted combination of resource records. CVE-2012-5166
To check your version, issue:
named -v
Affected BIND DNS server versions:
- 9.2.x -> 9.6.x
- 9.4-ESV->9.4-ESV-R5-P1
- 9.6-ESV->9.6-ESV-R7-P3
- 9.7.0->9.7.6-P3
- 9.8.0->9.8.3-P3
- 9.9.0->9.9.1-P3
Upgrading to one of the following corrects the problem
- 9.7.7
- 9.7.6-P4
- 9.6-ESV-R8
- 9.6-ESV-R7-P4
- 9.8.4
- 9.8.3-P4
- 9.9.2
- 9.9.1-P4
You can also work around the issue by setting a view or global option and setting minimal-responses
to yes
.
Here’s an example screenshot of BIND9 configuration: