Fw: DNS Vulnerability.

Jim Reid jim at rfc1035.com
Tue Nov 9 16:47:30 UTC 2004

>>>>> "Cameron" == Cameron Moffett <moffcam at statcan.ca> writes:

    Cameron> A DNS vulnerability was published today:
    Cameron> http://www.uniras.gov.uk/vuls/2004/758884/index.htm

    Cameron> Does anyone know if the various versions of Bind are
    Cameron> susceptible to this vulnerability?

To the best of my knowledge, no version of BIND has ever treated an
incoming packet that has the QR bit set -- ie a query response -- as a
query. For a definitive statement about this, check the ISC web site.
They publish a list of known vulnerabilities in BIND and the versions
that are susceptible to them. If BIND had been vulnerable to this
attack, there would be something about that on www.isc.org.

This advisory is rather odd as it makes no mention of any of the most
commonly used DNS implementations. There are no links on this URL to
the obvious places like CERT where security vulnerabilities are
usually announced.

The advisory mentions Roy Arends and Jakob Schlyter. My guess is their
fingerprinting tool was tried against these obscure DNS implementations.
IIUC one of the tool's torture tests is to send a "query" that has the
QR bit set. [A query by definition cannot set the QR bit.] This will
have tickled the bugs in these implementations which Roy or Jakob has
presumably then reported to the vendors and system administrators
concerned. I know Roy was sending these types of queries to name
servers ~2 years ago. So if BIND had been affected, we'd have heard
about it long before now.

More information about the bind-users mailing list