Re: DNS Bind

[gabriel rosenkoetter <gr () ECLIPSED NET>]

On Wed, Jan 31, 2001 at 02:57:59PM -0700, Somaini, Justin wrote:
> Not that I'm aware of.  DNS is not really my strongest suite so I have to
> rely upon our DNS guys.
> I believe that there needs to be an upgrade to fix the problem.
>
> If anyone disagrees please correct me.

I also don't know of anything to put in named.conf to make it ignore
TSIG queries entirely (and, anyway, wouldn't this bug be tickled in
the act of parsing the query before recognizing it as a TSIG and
tossing it?).

Anyway, you wouldn't want to... just because a query comes in signed
and you don't bother paying attention doesn't mean you should drop
the query (maybe someone else *insists* on using their signature...
screwing this up would be akin dumping every PGP-signed piece of
mail because your mailer doesn't know what to do with the signature).

Really, everybody needs to upgrade (and, considering the fact that
BIND8 isn't being audited, but just patched as more and more of
these buffer overflows appear, everybody ought to upgrade to BIND9
now and be done with it), but if you keep named in a chroot, you're
a bit better off (not much an intruder can do beyond access your
plausibly private zones without so much as a compiler and no
efficient way to transfer things into the chroot from outside).

> One thing to do is to change the version posting in the named.conf file.
> The scanner looking for sub 9.1 could be tricked.  Actual attack failing of
> course.

Hrm. One more reason we should all have version "Surely, you must be
joking."; in our options block...

That's really not much help, though. The especially stupid script
kiddies will just try this on every named they find running, BIND or
otherwise. :^>

       ~ g r @ eclipsed.net