Solution For BIND 9 Vulnerability ( DNS Cache Poisioning)

Protecting your Linux box

Solution For BIND 9 Vulnerability ( DNS Cache Poisioning)

Postby dev/null » Thu Jul 31, 2008 3:27 pm

and Hi to all friends.

I am back again with another cracking solution .
BIND 9 now have Vulnerability and it will effects all major distributions ,

BACKGROUND (Old Vulnerabilities):
Though it already were Vulnerable and that was discovered in late 2006
according to two vulnerabilities have been discovered that affects various versions of BIND 9.

PLATFORM: BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3b1, 9.3.3rc1, 9.4.0a1, 9.4.0a2, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1

DAMAGE: If exploited, these vulnerabilities could potentially lead to a denial-of-service (DoS) condition.

For more information you can visit :

Current Vulnerability (DNS Cache Poising) :
Discovered by Dan Kaminsky earlier this month announced a massive, multi-vendor issue with DNS that could allow attackers to compromise any name server - clients, too.

Instead of writing details on the Vulnerability i decided to write on current solution for DNS Cache Poisioning,

Fedora/CentOS Solution :

Prerequisites And Assumptions :

+ Your firewall (iptables NAT/PAT or PIX) must have port 53 open in such a way that it will allow random port selection.

+ You must be running BIND 9 on Centos 4 or 5 or any Fedora core system.

+ Bind must be running in chrooted mode though not a prerequisite but a best practice.

+ In your /etc/named/named.conf OR /etc/named.conf files....One must disable recursive querying and also add an acl to only allow their networks to do recursive requests. With this, the system administrator will have reduced chances of cache poisoning down to their own known networks.

acl "mynetworks" {
view "internal" {
match-clients { mynetwork; };
allow-query { mynetwork; };
allow-recursion { mynetwork; };
match-recursive-only yes;
view "external" {
match-clients { any; };
allow-query { any; };
allow-recursion { none; };
match-recursive-only no;

To Fix The BIND Vulnerability :
The first step is for one to check if their system is running the commands below replacing with your organization's TLD or ccTLD.

[root@pk~] # dig +short TXT
" is POOR: 26 queries in 20.0 seconds from 1 ports with std dev 0.00"

POOR-----> definitely indicates that the name-server or system in question is vulnerable and of course the BIND software running is also old and needs to be PATCHED ...

For those who run CentOS OR Fedora systems.....yum can be used to patch the systems. The CentOS 5 developers have already released a patch for BIND software and the current one is: bind-9.3.4-6.0.2.P1.el5_2. P1 indicates the package is a patched one.

On my systems after patching i got this result..

[root@pk~]# rpm -q bind

bind-9.3.4-6.0.2.P1.el5_2 ----> if your bind version is not patched..then patch it.

should do this to get the latest software and patch.

[root@pk~]# yum update bind bind-chroot -y

One should edit their named.conf file and add the following. Save and reload BIND.

[root@pk~]# vi /etc/named.conf

options {
directory "/var/named";
allow-transfer { ;};
query-source address * port 53; ##COMMENT or REMOVE THIS LINE.It will allow random port selection. Only do this if this parameter is enabled under options in your named.conf file.

dnssec-enable yes; ## ADD THIS OPTION TO ENABLE DNS-SEC.

[root@pk~]# :wq
* The above line when added to your named.conf file will enable DNS-SEC. Go ahead and set up DNS-SEC


[root@pk~]# /etc/init.d/named reload


[root@pk~] # dig +short TXT
[root@pk~] #
" is GOOD: 26 queries in 19.6 seconds from 26 ports with std dev 16515.27"

GOOD indicates that the name server in question at appears to be safe, but one must make sure the ports listed aren't following an obvious pattern. i.e the ports with standard deviation..16515.27...But if your test clocks ( 10000.00 std dev ) then your DNS server is safer and your clients or users should not worry.

Zeeshan Saeed Paracha
ISO 9001 Lead Auditor / Consultant
Uncertified Senior System Administrator
Uncertified Chief Hardware Technision
CELL : 0300 - 2220083
0323 - 2483387
0333 - 3452237

Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad

Postby x2oxen » Thu Jul 31, 2008 6:09 pm

What you will say about FreeBSD?
Muhammad Usman
Chemonics International

Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore

Postby lambda » Thu Jul 31, 2008 9:13 pm

all operating systems that use bind are vulnerable.

fortunately, i use djbdns, and have for about eight years.
Watch out for the !
Isn't it amazing how so many people can type "" into their browsers but not ""?

Battalion Havaldaar Major
Posts: 269
Joined: Sat Dec 13, 2003 3:58 pm
Location: Faisalabad

Postby nasacis » Fri Aug 01, 2008 2:57 pm

Read this article about cache piosioning
Nafees Ahmed
Cell: +92.300.8653568
UAN: 041-111432432
Nexlinx Faisalabad

Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad

Postby x2oxen » Sat Aug 02, 2008 2:24 pm

Well atleast mine are save now as i have upgraded them and they successfully completed all the Vulnerability tests required.
Muhammad Usman


Chemonics International

Posts: 714
Joined: Wed Aug 07, 2002 8:00 pm

Postby nomankhn » Mon Sep 22, 2008 4:29 am

Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad

Postby x2oxen » Tue Sep 23, 2008 10:16 am

Muhammad Usman


Chemonics International

Return to “Security”

Who is online

Users browsing this forum: No registered users and 1 guest