bind8.2 security issues

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Mon Jul 1 11:29:34 UTC 2002 

Steve Foster <fosters at uk.psi.com> wrote:

> At 09:58 01/07/02 GMT, phn at icke-reklam.ipsec.nu wrote:
>>
>>Steve Foster <fosters at uk.psi.com> wrote:
>>
>>> All,
>>
>>
>>> i have seen the postings on this group and via CERT about the
>>> vulnerabilities in Bind8.X , however i am bit confused as to how to
>>> progress. I currently have bind running 8.2.3 on Solaris 2.6 , i have no
>>> problems re-building a new version of bind to replace it, however Sun=
>  have
>>> not released any details on new resolver library patches, So should i=
>  wait
>>> until they do before building a new version of bind, or does bind use its
>>> own internal ones for build named etc...
>>
>>Using bind-9 as resolving nameserver for all your clients seems to be=20
>>a good workaround. That way no resolver is ever exposed to an=20
>>answer from hostile nameservers "out there".

> Cool, i have no problem replacing my resolvers with bind9, as there are no
> specific config issues i have to worry about...at the moment all my
> resolvers are running named, which as you suggest below is not an
> issue...so assuming sun bring out a patch, we should be okay to patch all
> of internal and external servers which use the customer resolvers. my other
> servers are primary and secondary servers running named, i assume that
> there is no inherent risk in leaving these at bind8.2.3 in the short-term,
> as as you say, any calls to named from externally will use the internal
> resolver functions in named...

Not entirely,   

any packet that will cause an application ( and syslog is an application) to
ask DNS for an answer is risky. 

To reduce that , make shure /etc/resolv.conf points to a bind-9 in all your systems
exposed to Internet.


>>
>>Time to install bind-9 !!
>>
>>> Also it says that named itself is not vulnerable, how can this be so??
>>
>>It's not named that is vulnerable, it's the resolver code that all your=20
>>applications use. Named uses it's own ( not vulnerable) code for resolving.
>>
>>
>>> many thanks in advance
>>
>>> Steve
>>> Steve Foster
>>> Senior Systems Administrator
>>> PSINet Europe
>>> Work: +44 (1223) 577322
>>> Mobile: +44 (7720) 425911
>>
>>
>>--=20
>>Peter H=E5kanson        =20
>>        IPSec  Sverige      ( At Gothenburg Riverside )
>>           Sorry about my e-mail address, but i'm trying to keep spam out,
>>	   remove "icke-reklam" if you feel for mailing me. Thanx.
>>
>>
>>
> Steve Foster
> Senior Systems Administrator
> PSINet Europe
> Work: +44 (1223) 577322
> Mobile: +44 (7720) 425911


-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list