[Dshield] BIND patches

Andre Costa brblueser at uol.com.br
Thu Nov 14 13:22:42 GMT 2002

Hi Johannes,

since BIND and DNS are the topics here, and you seem to know what you're
talking about ;) I would like to make a couple of questions to you and
any other gurus that feels like answering ;)

My setup is: BIND 9.2.1, acting only as a caching name server. I have
set up named to accept queries from localhost only, and my firewall only
accepts UDP traffic from port 53 to any port if it comes from any of the
two nameservers of my ISP, and UDP traffic from port 53 from any site as
long as it is directed to port 53. TCP traffic to port 53 is blocked,
period. named is running as user 'named'.

Is the above setup reasonable? Using BIND for caching purposes only is
probably overkill; should I consider an alternative NS? Anyone out there
has any experience with this?



On Thu, 14 Nov 2002 07:57:59 -0500
Johannes Ullrich <jullrich at euclidian.com> wrote:

>    patches for BIND are now available via regular web download at
> http://www.isc.org/products/BIND/patches/
>    just to repeat: All Bind 4 and Bind 8 versions available so far
> have a major bug allowing execution of arbitrary code. If you are
> using bind as a name server, please consider:
> - apply the patch (you HAVE to do this).
> - make sure named does not run as root (verify with 'ps').
> - if you haven't done so, setup a 'chroot jail' for bind. This
>   is rather simple. Let me know if you need details (there are
>   also a couple good FAQs/Howtos for this).
> - if your dns server is for internal use only, make sure it is
>   firewalled. (port 53 tcp/udp). In many cases you can get away
>   with blocking port tcp 53 even for public name servers and only
>   accept udp connections on port 53.
> You may also consider upgrading to Bind 9, which is a rewrite of the
> old (buggy) Bind code. If you don't need all the features, consider
> any of the alternative name servers.
> BIND exploits have been the tool of choice for a long time. They
> have lost some of their luster with people focusing on the much
> larger crowd of web servers. However, one of the first worms detected
> by DShield was based on a Bind exploit.
> -- 
> --------------------------------------------------------------------
> jullrich at euclidian.com             Collaborative Intrusion Detection
>                                          join http://www.dshield.org

Andre Oliveira da Costa

More information about the list mailing list