Bind 4 and 8 Vulnerabilities 408
eecue writes "The world's most popular DNS package is once again vulnerable. Even the advisory says it's only a matter of time before worms are written.... just like a couple years ago. I guess this is why i run tinydns."
And I guess... (Score:5, Insightful)
TWW
Passive Worm Potential... PATCH NOW (Score:5, Insightful)
The nasty parts: Enough people dual-use their DNS servers (serving as both authoritative master for outside and for their own lookups) that you could get lots of authoritative masters. It also does NOT scan.
It could be made even stealtier if the exploit, on failure, would still function. On success, it of course functions normally. This might be harder, but, if so, it would be really REALLY hard to detect such a worm.
It would take a bit of writing to get right, so there is a good window in which to patch your machines. So patch SOON.
Re:Escape (Score:2, Insightful)
Re:Did ISS tell bind maintainers? (Score:5, Insightful)
This however appears to be yet another situation where ISS has gone ahead and released an advisory before the vendors have actually had a chance to make patches available to the public.
This is supposed to be a security firm that is trying to assist the public in keeping their boxen secure? If so, I'm really scared of the firms that are out there really trying to do damage.
What if you can't use (fill_in_the_blank)? (Score:5, Insightful)
So, it is all well and good if someone out there has the choice to install some other software, but keep in mind that it is not necessarily an option for everyone...
Newer major versions often drop features (Score:2, Insightful)
Another vulnerability has been found in Microsoft Windows 98...
I take that comment to imply: "Windows 98 Second Edition is too old to be supported; all users of Windows 98 Second Edition should upgrade to Windows XP Home Edition." The problem with upgrading from one major version of a product to the next just to fix a bug is that newer major versions will often drop useful features that an older version had. For instance, Windows XP Home Edition loses Windows 98's competent support for running proprietary applications designed for MS-DOS. In addition, XP Home loses the ability to run acceptably on a 133 MHz machine with 32 MB of RAM.
Does BIND 9 drop major features or require more hardware for a given level of service vs. BIND 8?
Bind 9.2.1 (Score:2, Insightful)
Re:What if you can't use (fill_in_the_blank)? (Score:3, Insightful)
Re:Tips (Score:4, Insightful)
DJB has been quite clear on this. DJBDNS has his name on it, his guarantee against remote exploits, and his own petty little rant about where things should be installed, and why they should be the same on different systems. As far as he is concerned, you may NOT distribute binaries unless you guarantee they build exactly like the source would build them on the machine in which they are used.
However, he is also QUITE clear. Source patches are fine. Of any sort. This is not any more the original djbdns package, and his guarantee goes out the window. Debian does this with qmail, for example.
I use djbdns, but I REALLY like free software. WHY? Well, BIND is buggy as hell. It is probably the worst possible server software ever written with respect to remote exploits. And, even after the BIND 8 rewrite, it is still buggy as hell. It is also a pain in the ass to configure.
In contrast, djbdns is pretty easy to configure and install. I installed it exactly once per machine (mostly caching servers for local machines only, but also domain servers). It never stopped working. EVER. It never needed restarting. It never needed attention. I sometimes forget it is even running. There has never been an exploit.
So I ask you - if something works like this, why do you need to be able to redistribute anything more than patches? You install the dern thing once and it just keeps going like the Energizer bunny.
So, go ahead, laugh if you want. Install buggy BIND, or some other DNS package. DJBDNS keeps my machines working, free from exploits of dns origin, and it never breaks down or needs attention. And if it ever does, I still have the source and permission to alter it for my own use, and to distribute patches that alter it to others.
That pretty much covers the freedoms I want from my DNS software. Granted, it would be cooler yet if distros could package it and distribute as THEY see fit (placing the trust in the distro and not in DJB), but DJB is kinda quirky, so I live with the next best thing.
Re:Escape (Score:4, Insightful)
That's assuming you ever find one. qmail's withstood the security guarantee since 1998. djb tends to write fairly good software... Besides, people are allowed to release unofficial patches to djb projects and quite a community has grown up around additional features. See qmail.org [qmail.org] and tinydns.org [tinydns.org].
Oh come on. If something works well and implements the standards, why should you bother to add more gimmicks? "If it ain't broke, don't fix it."
Re:Or you could use bind 9... (Score:3, Insightful)
Re:patches already available (Score:3, Insightful)
The problem, if you want to call it that, with OSS is that once you release something broken, you have to hear bug reports about it for the rest of your life. I still occasionally hear from people who are running pre-1.0 snapshots of the ISC DHCP server. That's just how it is in the open source world.
In 2150, some idiot on the Mars colony is going to get hacked by a guy in Plano, TX, because he or she is still running BIND 4 on the Marinaris City web server.
Re:Escape (Score:2, Insightful)
There hasn't been a djbdns release since 12-Feb-2001 and the project is bound to go stale sooner or later if djb does not renew his interest.
Maybe it hasn't been updated since Feb 2001 since it's complete and doesn't need any new updates? Is that such an amazing concept?
Re:BIND9 (Score:3, Insightful)
With redundant servers running different software, the chance of a single attack taking them all down is minimized.
Re:I like MyDNS (Score:3, Insightful)
Re:I like MyDNS (Score:2, Insightful)
MyDNS was specifically designed for use by ISPs and other entities where very large DNS databases are maintaned, and frequently updated, and where instantaneous or near-instantaneous updates are desirable.
It's not really any better than the competition, IMO, for small local DNS needs, such as serving static DNS data for just a couple of domains -- but I think it's the best around for large, frequently changing DNS data.
Re:Tips (Score:1, Insightful)
The freedom to run the program, for any purpose
DJB software gives you this.
The freedom to study how the program works, and adapt it to your needs
Yup. You have the source, and you can change it for your own needs. Also true.
The freedom to redistribute copies so you can help your neighbor
You can distribute the source package as it exists at the official distribution web site, and you can distribute patches. So, this one is true, too.
The freedom to improve the program, and release your improvements to the public, so that the whole community benefits.
This is ALSO true. A bunch of whiny ignorant assholes are calling djb software more restrictive than proprietary licenses! DJB provides you the source, the ability to modify it, the ability to redistribute your patches, and the latest source.
The things that are missing are the right to distribute a modified and/or binary version of the software. You can only distribute source (unless you can establish on install that the binary is built just like the source build would do it), and modification can only be in patch form.
But, in general, all GNU freedoms are preserved, and the source is freely available (free as in beer).
BIND is too pervasive (Score:2, Insightful)
One of the least appreciated strengths of the internet is its diversity. MS Office (macro viruses) and MS Outlook (all the other viruses) are great examples of how dangerous a homgenous environment can be - and so is BIND.
The logical conclusion is that we should all actively explore and support alternative solutions, and luckily the internet community seems to enjoy doing this anyway. I use MaraDNS - a simple, secure, open-source, well supported, low overhead authoritative and caching name server that does zone transfers (with a crap website, unfortunately).
So if you aren't hogtied by corporate policy, try an alternative - increase diversity - strengthen the internet. Just don't all switch to MaraDNS...
Brian: You don't need to follow me! You're all individuals!
Crowd (together): Yes! We're all individuals!
Individual: I'm not.
this wouldn't be a problem ... (Score:2, Insightful)
Running your daemons with restricted privs, in a chroot jail, is a great example of software that fails gracefully.
Re:QPL? (Score:3, Insightful)
Has Bernstein put permission to redistribute any patches against djbdns in writing? If so, then the license becomes roughly equivalent to the Trolltech QPL.
As Prof. Bernstein himself has pointed out, as a matter of copyright law, patches are considered analogous to commentary on the original work, and not as derivative works. Thus, the author of the original work has no claim upon them.
So, with a source-available proprietary software package like djbdns, you can end up with a quasi-free software ecology based around distribution of patches and compile-time modification. Inevitably, those patches end up being very seldom regression-tested against one another. Also, if the base package ever ceases to be maintained, continuing development via patch-distribution alone isn't really very practical. It would rapidly become such a hassle that I'm pretty sure the project would effectively die, at that point.
The fix for that problem is of course licensing that includes a right to fork [linuxmafia.com]. But that's possible only if the copyright holder is willing to grant that right, which Prof. Bernstein (for most of his project) is not.
That is not intended as a criticism of Prof. Bernstein (whom I admire for his dogged defence of crypto rights), nor of his software (even though I don't like or use the latter). It's just the facts of copyright law and licensing as I understand them.
Buggy? At least the vulnerability mentioned in the article does not affect most recent version of BIND 9.x.
Indeed. One of the most distressing aspects of Prof. Bernstein's flying squadron of groupies is their characteristic shading of the truth on well-known key issues. One of those issues is the vital distinction between BIND8 and BIND9, which by and large they're fully aware are distinct codebases following a from-scratch rewrite specifically to jettison the inherent unmaintainability of the legacy BIND8 codebase -- but they find it convenient to slur the new codebase with the old one's faults. Another is their characteristic refusal to compare the Qmail MTA against anything other than Sendmail -- when the obvious comparisons [linuxmafia.com] are Qmail/Postfix/Courier (all modular designs) and Sendmail/Exim (both monolithic designs where process instances drop privilege according to role). A third is their curious inability to ever say the words "proprietary" or "not open source", instead making excuses, changing the subject, and talking around that point.
(I'll hasten to add that Prof. Bernstein clearly isn't responsible for his acolytes' conduct.)
Rick Moen
rick@linuxmafia.com
Re:Tips (Score:4, Insightful)
You shouldn't trust the software because of the cash guarantee. You should trust it because it is secure.
Some people will audit the software in hopes of claiming the reward, either for the monetary or ego value. It also means that the author has faith in his software. How many other people will put a cash guarantee behind their code? Dan doesn't have any commercial reasons to offer this guarantee. He does it because he knows his code is secure. Why won't the BIND authors guarantee their code? Because they know that they can't.
Look at it from another perspective. How many people here dislike Dan for one reason or another? How many of those people would love to find a hole in his software to discredit him? How many of those people have found one?
djbdns is secure in the same way that qmail is secure. Read the code for yourself. You will see how different it is from other software. It is quite easy to see how Dan can guarantee that it is secure.
Re:Escape (Score:1, Insightful)
More about the right to fork (Score:3, Insightful)
Afterthought: The right to fork is such a fundamental assumption of the open-source model that it's easy to forget other vital reasons for it, beyond just the code being maintainable after its owner decides to quit. I posted before thinking of those.
When we say something is "open source", we're also implying the right to create derivative works descended from that codebase. E.g., the most important long-term fact about the Berkeley NET2, 4.4BSD, 4.4BSD-Lite, and 4.4BSD-Lite2 releases is that we got 386BSD, and then {Free|Net|Open}BSD from them. Had the U.C. Berkeley Computer Science Research Group used a Bernstein-style no-forking-allowed licence, there would have been none of those things: Their creation would have been illegal.
So, I think if you mull over your assertion that you "don't think that [a right to fork] is necessary for something to be free (as in GNU free)", you'll see that this right actually is absolutely vital and essential to the very concept.
Rick Moen
rick@linuxmafia.com
Re:patches already available (Score:4, Insightful)
It wasn't long ago that a forged 'trusted' mime type would allow an
Re:Or you could use bind 9... (Score:3, Insightful)
Is it just me, or does the RFC look like it was documenting BIND's implementation, rather than defining a standard which BIND then implemented?
Re:Tips (Score:1, Insightful)
Re:patches already available (Score:3, Insightful)
Saying such thing is completly unprofessional. It's like selling the unsinkable ship, the unfailable airplane, the unbreakable firewall, etc. etc. Anybody telling nonsense like that should get an unprofessional stamp on his forehead.
Yes. And if the patch is slow in coming out, it's because they are regression testing it. Do open source clients regression test their patches against thousands of machines with different configurations, or just release it as-is and post followup patches if they have problems?
Oh and thats why service packs often introduce new bugs. And thats why some fixes are exclusive. Meaning you can apply fix A or fix B. applying both patches will not work. If you apply fix A you get Bug C. Talk with some _real_ admin of a larger microsoft network, you will hear the tears.