Bugtraq mailing list archives
Re: BIND Nuking
From: sthaug () NETHELP NO (Steinar Haug)
Date: Mon, 28 Jul 1997 19:37:33 +0200
Why don't you try it out? The answer: If the update comes from a host not on the access list, it will be rejected, and the attempt will be logged, like this: Jul 28 19:29:41 verdi named[2118]: unapproved update from [195.1.171.130].1594 for netsafe.no Putting 127.0.0.1 in such an access list is probably not a good idea, for what should be obvious reasons.
If the answer is Yes, this could be very dangerous, every BIND 8.1.x compiled with ALLOW_UPDATES will be vulnerable, even if you don't have access to modify zones.
The answer is no. Also, by default, no updates are allowed. It's only if "allow-update" *and* a suitable access list is included in the named configuration file that you'll be able to trigger this bug - and then only from the host(s) mentioned in the access list. It's still a bug, and needs to be fixed. But there's no reason to be overly worried - of the sites running bind 8 I'd guess that only a very small fraction have configured named to accept updates. Steinar Haug, Nethelp consulting, sthaug () nethelp no
Current thread:
- Re: BIND Nuking Daniele Orlandi (Jul 25)
- <Possible follow-ups>
- Re: BIND Nuking Alan Brown (Jul 26)
- Re: BIND Nuking Steinar Haug (Jul 28)
- Re: BIND Nuking Robert Watson (Jul 28)