BIND 9 is an implementation of the Domain Name System (DNS) protocols. named daemon is an Internet Domain Name Server for UNIX like operating systems. Dynamic update messages may be used to update records in a master zone on a nameserver. When named receives a specially crafted dynamic update message an internal assertion check is triggered which causes named to exit. An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation. configuring named to ignore dynamic updates is NOT sufficient to protect it from this vulnerability. This exploit is public. Please upgrade immediately.
Our hosting provider seems to come under DoS attack too at the same time and their DNS server went down for couple of hours. So you may see some part of our site may not working, especially our css, js and image files comes from our service providers servers which are affected by BIND server problem.
Red Hat claims that the exploit does not affect BIND servers that do not allow dynamic updates, but the ISC claims it does affects the all versions of BIND 9. However, another update from Red hat claimed that:
Updates with similar patch are undergoing quality assurance testing now and will be released as soon as they are fully tested.
How Do I Fix This Under Debian / Ubuntu Linux?
Upgrade your vulnerable package using the following commands:# apt-get update
# apt-get upgrade
# /etc/init.d/bind9 restart
How Do I Fix This Under FreeBSD Operating System v6x and v7.x?
To patch your system download the relevant patch from the FreeBSD below, and verify the detached PGP signature using your PGP utility.# cd /tmp
# fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch
# fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch.asc
# cd /usr/src
# patch < /tmp/bind.patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart
# rm /tmp/bind.patch
How Do I Patch RHEL / Fedora / CentOS Linux Server?
Red Hat / CentOS specific patch is available here.
Update, Jul 30, 1:31: Updated bind packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. You can grab the same from RHN or simply running the following command at a shell prompt:# yum update
CentOS Linux use will get the same in day or two.
Other Suggestions
This slashdot user suggested use of the following iptables rules via U32 matching module:
iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5'
Another user at Red hat support site suggested the following workaround:
Based on the original advisory, this appears to affect only "master" servers. One standard best practice is to have one master and multiple slaves and to protect that master (no exposure to the Internet). This would seem to be a mitigation. This is a BCP (Best Common Practice) for those of us who have been doing this for years.
Another option is to use DJBDNS DNS server.
