A potential bind8 'force response reconstruction' patch.

Ted_Rule at flextech.co.uk Ted_Rule at flextech.co.uk
Fri Jul 5 08:33:22 UTC 2002




The recent CERT Advisory relating to DNS library buffer overflows reminded me
about
a thread on bind-workers nearly 2 years ago. The thread discussed the apparent
root NS
record corruption on various bind8 caching servers.

The general conclusion - as I recall - was that if a trusted forwarder managed
to return a corrupted
root NS response, the forwarder's client was vulnerable if it wasn't configured
"forward only".
This led the client caching server to use the broken NS record if the forwarder
ever became
temporarily unavailable - thereby leading to chaos on the client caching server.

One of the fixes suggested at the time was to ensure that the forwarder server
itself always
reconstructed responses via its own cache.

I had originally thought that the reconstruction had been included in later
bind8 versions
as a general sanity check, but the CERT Advisory implies that all bind8 servers
fail to force
reconstruction, and I've certainly seen a corrupt root NS record or two in the
last few months
on my internal forward only 8.2 servers.

A quick look through the 8.3.3 source code reveals that the code snippet in
ns_resp.c
which Mark Andrews suggested a patch for still exists as was, although obviously
so much other
code surrounding it has changed in the meantime that his fix may now be
meaningless.

For those of us who still have issues - probably albeit minor - with bind9, is
there any mileage
in applying this patch or something similar to 8.3.3 to offer another potential
piece of protection
in the general DNS armoury?

See below for Mark's original posting.


Ted Rule,
Flextech Television






Mark.Andrews at nominum.com on 07/09/2000 13:07:35

To:   Ted Rule/160GPS/Flextech/UK at Flextech
cc:   bind-workers at isc.org

Subject:  Re: odd behavior in bind-8.2.2_P3 (fwd) - "illegitimate COM server" -
      more




     I'm tempted to make the lame checks further up just reject
     these answers.

     The patch below should force everything through the cache.

     Mark

Index: src/bin/named/ns_resp.c
===================================================================
RCS file: /proj/cvs/isc/bind/src/bin/named/ns_resp.c,v
retrieving revision 8.146
diff -u -r8.146 ns_resp.c
--- ns_resp.c  2000/08/21 06:45:17 8.146
+++ ns_resp.c  2000/09/07 11:59:12
@@ -1145,7 +1255,7 @@
          return;
     }

-    if (ancount && count && !validanswer) {
+    if (count) {
          /*
           * Everything passed validation but we didn't get the
           * final answer.  The response must have contained
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com








***************************************************************************************************

This E-mail message, including any attachments, is intended only for the person
or entity to which it is addressed, and may contain confidential information.

If you are not the intended recipient, any review, retransmission, disclosure,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.

If you have received this E-mail message in error, please contact the author and
delete the message and any attachments from your computer.

You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the views
and opinions of FLEXTECH Television Limited.

***************************************************************************************************



More information about the bind-workers mailing list