New DNS Vulnerability Has Organizations Scrambling

Organizations using the BIND 9 DNS server are being urged to update and patch their servers to correct a zero-day vulnerability that can allow remote attackers to execute denial-of-service (DoS) attacks against them.

The Internet Systems Consortium, which maintains BIND, a widely used open source DNS server, announced last week that an exploit already is in wide circulation for the vulnerability, which can cause servers running BIND 9 to crash.

The Dynamic Update Denial of Service vulnerability was announced last week and ISC has released updates of affected versions of the server. Vendors of commercial products based on the software also are releasing patches for the vulnerability.

Patching is crucial, ISC said in announcing the vulnerability. "Access controls will not provide an effective workaround."

The Domain Name System is a protocol for associating domain names with the numerical IP addresses that are used to direct Internet traffic. DNS underlies almost all Internet activity. BIND (originally the Berkeley Internet Name Domain) is DNS software that probably is being used on more than half of the world's public DNS servers.

According to ISC, when most versions of BIND 9 -- the current release of the software -- are configured as a master server, the receipt of a specially crafted dynamic update message can cause the server to crash. "Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master," the alert says. "Launching the attack against slave zones does not trigger the assert" that causes the crash. "This vulnerability affects all servers that are masters for one or more zones -- it is not limited to those that are configured to allow dynamic updates."

ISC has rated this vulnerability at high severity, largely because of the existence of a zero-day exploit. The National Institute of Standards and Technology's National Vulnerability Database rates it at medium severity, with a low rating for its impact but a high rating for its exploitability.

The vulnerability comes about a year after the announcement of a vulnerability in the DNS protocols, discovered by researcher Dan Kaminsky, director of penetration testing at IOActive. The vulnerability could enable poisoning of DNS records and allow the malicious redirection of traffic. Because the vulnerability was in the protocol itself and not a specific product, it was seen as a serious threat and Kaminsky worked with the industry for months in advance of the vulnerability's announcement to develop a quick fix for it. That vulnerability has helped to spur implementation of the DNS Security Extensions (DNSSEC) within the Domain Name System as a more permanent fix.

At least one industry observer sees the BIND Dynamic Update DoS vulnerability as more serious than Kaminsky's vulnerability.

"It's a lot simpler to run and execute," said Branko Miskov, director of product management for BlueCat Networks, an IP address management company. "Pretty much any BIND 9 server can be brought down with this script. Our development team was quite surprised at how simple this was."

He said one serious threat would be the implementation of the exploit in a worm, which could provide a persistent mechanism for repeated attacks against a server, bringing its operation to a halt.

Miskov said BlueCat was one of the first commercial product vendors to produce a patch for the vulnerability, and that the company has seen a "huge uptake" by customers of the patches.

ISC recommends that users upgrade BIND to patched versions of the software. These versions can be downloaded from:

ISC began work on BIND 9 in 1998 and it now is the most widely used version of the software. It has begun development of the next generation of the software, BIND 10.

About the Author

William Jackson is the senior writer for Government Computer News (