oss-sec mailing list archives
Re: PowerDNS Security Advisory 2014-02
From: Peter van Dijk <peter.van.dijk () netherlabs nl>
Date: Tue, 9 Dec 2014 08:54:15 +0100
Hello, On 09 Dec 2014, at 8:16 , Peter van Dijk <peter.van.dijk () netherlabs nl> wrote:
Somebody asked me to (help him) check djbdns today, which we’ll do. Any other implementations you are interested in?
Vanilla djbdns 1.05 manages a counter called ‘loop’ (look for ‘z->loop’ in the code); if this counter hits 100, it simply aborts the current query. This is similar to the fixes now present in PowerDNS, BIND and Unbound. Breakpoint 4, doit (z=0x611660 <u>, state=1) at query.c:452 452 if (++z->loop == 100) goto DIE; 1: z->loop = 99 (gdb) cont Continuing. It then logs 'drop 1 input/output error’ and aborts resolution of this query. Note that it actually drops the query, the client will eventually timeout; PowerDNS Recursor sends a SERVFAIL, and I presume so do BIND and Unbound. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- PowerDNS Security Advisory 2014-02 Peter van Dijk (Dec 08)
- Re: PowerDNS Security Advisory 2014-02 Hanno Böck (Dec 08)
- Re: PowerDNS Security Advisory 2014-02 Peter van Dijk (Dec 08)
- Re: PowerDNS Security Advisory 2014-02 Peter van Dijk (Dec 08)
- Re: PowerDNS Security Advisory 2014-02 Hanno Böck (Dec 09)
- Re: PowerDNS Security Advisory 2014-02 Peter van Dijk (Dec 09)
- Re: PowerDNS Security Advisory 2014-02 Peter van Dijk (Dec 08)
- Re: PowerDNS Security Advisory 2014-02 Hanno Böck (Dec 08)
- Re: PowerDNS Security Advisory 2014-02 Peter van Dijk (Dec 12)