Bind 4 and 8 Vulnerabilities

eecue writes "The world's most popular DNS package is once again vulnerable. Even the advisory says it's only a matter of time before worms are written.... just like a couple years ago. I guess this is why i run tinydns."

And I guess...

[nagora]

...that's why I run Bind 9 and keep it updated.

TWW

Passive Worm Potential... PATCH NOW

[nweaver]

The potential for a passive worm is actually fairly high, given that the exploit needs to come in response to a DNS query: The worm infects a DNS server, and waits for queries. It responds to those queries from other DNS servers by attempting to infect them.

The nasty parts: Enough people dual-use their DNS servers (serving as both authoritative master for outside and for their own lookups) that you could get lots of authoritative masters. It also does NOT scan.

It could be made even stealtier if the exploit, on failure, would still function. On success, it of course functions normally. This might be harder, but, if so, it would be really REALLY hard to detect such a worm.

It would take a bit of writing to get right, so there is a good window in which to patch your machines. So patch SOON.

Re:Escape

[passthecrackpipe]

This is why [linuxmafia.com] running BIND9 instead of the djb stuff may be a very good idea.

Re:Did ISS tell bind maintainers?

[tekBuddha]

It was mentioned on the FreeBSD-Security list this morning that ISS had informed vendors that they were going to go public with this advisory tomorrow and not today. So in answer to your question, Yes, the vendors have apparently been notified.

This however appears to be yet another situation where ISS has gone ahead and released an advisory before the vendors have actually had a chance to make patches available to the public.

This is supposed to be a security firm that is trying to assist the public in keeping their boxen secure? If so, I'm really scared of the firms that are out there really trying to do damage.

What if you can't use (fill_in_the_blank)?

[why-is-it]

For me, it is not really an option to use a tinydns or any other DNS solution other than BIND. Upgrading to BIND9 is not really an option for me either. I work for a large multinational, and we have a lot of UNIX servers (Sun, IBM, and HP in terms of numbers). I get hardware and software support direct from the manufacturer, and if I install an application, or a version of an application that my vendor does not support, I am on my own. These 24-7 support contracts are important to us in being able to sell our services and maintaining our SLA's and availability targets. Those issues aside, I do not want to have to explain to the PHBs that we cannot get support on a particular problem because the application in question is not supported by Sun, or that IBM only supports version 3.4 and we run version 4.0.

So, it is all well and good if someone out there has the choice to install some other software, but keep in mind that it is not necessarily an option for everyone...

Newer major versions often drop features

[yerricde]

Another vulnerability has been found in Microsoft Windows 98...

I take that comment to imply: "Windows 98 Second Edition is too old to be supported; all users of Windows 98 Second Edition should upgrade to Windows XP Home Edition." The problem with upgrading from one major version of a product to the next just to fix a bug is that newer major versions will often drop useful features that an older version had. For instance, Windows XP Home Edition loses Windows 98's competent support for running proprietary applications designed for MS-DOS. In addition, XP Home loses the ability to run acceptably on a 133 MHz machine with 32 MB of RAM.

Does BIND 9 drop major features or require more hardware for a given level of service vs. BIND 8?

Bind 9.2.1

[decarelbitter]

Bind 9.2.1 has been out for a while. If you haven't upgraded yet consider letting someone who does know run your nameservers...

Re:What if you can't use (fill_in_the_blank)?

[arkanes]

What the fuck are you playing your vendor for if they won't provide fixes for known, proven, and public vulnerabilites? If thats your quality of service, are you really losing anything by giving up thier support and installing your own apps?

Re:Tips

[Anonymous Coward]

Waddayamean, free ?

DJB has been quite clear on this. DJBDNS has his name on it, his guarantee against remote exploits, and his own petty little rant about where things should be installed, and why they should be the same on different systems. As far as he is concerned, you may NOT distribute binaries unless you guarantee they build exactly like the source would build them on the machine in which they are used.

However, he is also QUITE clear. Source patches are fine. Of any sort. This is not any more the original djbdns package, and his guarantee goes out the window. Debian does this with qmail, for example.

I use djbdns, but I REALLY like free software. WHY? Well, BIND is buggy as hell. It is probably the worst possible server software ever written with respect to remote exploits. And, even after the BIND 8 rewrite, it is still buggy as hell. It is also a pain in the ass to configure.

In contrast, djbdns is pretty easy to configure and install. I installed it exactly once per machine (mostly caching servers for local machines only, but also domain servers). It never stopped working. EVER. It never needed restarting. It never needed attention. I sometimes forget it is even running. There has never been an exploit.

So I ask you - if something works like this, why do you need to be able to redistribute anything more than patches? You install the dern thing once and it just keeps going like the Energizer bunny.

So, go ahead, laugh if you want. Install buggy BIND, or some other DNS package. DJBDNS keeps my machines working, free from exploits of dns origin, and it never breaks down or needs attention. And if it ever does, I still have the source and permission to alter it for my own use, and to distribute patches that alter it to others.

That pretty much covers the freedoms I want from my DNS software. Granted, it would be cooler yet if distros could package it and distribute as THEY see fit (placing the trust in the distro and not in DJB), but DJB is kinda quirky, so I live with the next best thing.

Re:Escape

[bozoman42]

Find a vulnerability and you're not even allowed to release a fixed version!

That's assuming you ever find one. qmail's withstood the security guarantee since 1998. djb tends to write fairly good software... Besides, people are allowed to release unofficial patches to djb projects and quite a community has grown up around additional features. See qmail.org [qmail.org] and tinydns.org [tinydns.org].

There hasn't been a djbdns release since 12-Feb-2001 [freshmeat.net] and the project is bound to go stale sooner or later if djb does not renew his interest.

Oh come on. If something works well and implements the standards, why should you bother to add more gimmicks? "If it ain't broke, don't fix it."

Re:Or you could use bind 9...

[serlaten]

In the couple of years the bind 9 code has been out there, the only vulnerabilities it's had caused the server to shut itself down immediately, as it realised something was wrong with its input. That's likely to be it's only failure mode in the future - stick a wrapper around it that restarts it when it dies, and you'll be right as rain.

No, you'd create a potentially very effective DoS target. If named were to restart each time it received some malformed packets, a motivated script kiddie could easily max out your load.

Re:patches already available

[mellon]

OSS' quick fix to BIND 4 and BIND 8 was to release newer versions. BIND 4 is a hopeless clump. BIND 8 was a partial rewrite. BIND 9 was a complete rewrite precisely because BIND 8 wasn't a good basis for a new start.

The problem, if you want to call it that, with OSS is that once you release something broken, you have to hear bug reports about it for the rest of your life. I still occasionally hear from people who are running pre-1.0 snapshots of the ISC DHCP server. That's just how it is in the open source world.

In 2150, some idiot on the Mars colony is going to get hacked by a guy in Plano, TX, because he or she is still running BIND 4 on the Marinaris City web server.

Re:Escape

[innerFire]

There hasn't been a djbdns release since 12-Feb-2001 and the project is bound to go stale sooner or later if djb does not renew his interest.

Maybe it hasn't been updated since Feb 2001 since it's complete and doesn't need any new updates? Is that such an amazing concept?

Re:BIND9

[Amazing Quantum Man]

Actually, IM(V)HO, *ALL* the root servers should be running different DNS servers. Basic rule of reliability...

With redundant servers running different software, the chance of a single attack taking them all down is minimized.

Re:I like MyDNS

[Animats]

Clearly that's the way to do it. Every other modern server-based app that needs a database has the database in a separate program and address space. BIND and Sendmail are archaic exceptions to this rule, and look where all the security holes show up.

Re:I like MyDNS

[bleachboy]

That plan doesn't work too well if your DNS data is very large. Think about how long it takes, to select, say, a million records from your SQL database and write them to a file. It can definitely tie up your server for several minutes at a time. I speak from experience doing this with a MySQL -> tinydns conversion script (in C).

MyDNS was specifically designed for use by ISPs and other entities where very large DNS databases are maintaned, and frequently updated, and where instantaneous or near-instantaneous updates are desirable.

It's not really any better than the competition, IMO, for small local DNS needs, such as serving static DNS data for just a couple of domains -- but I think it's the best around for large, frequently changing DNS data.

Re:Tips

[Anonymous Coward]

Let's go through the freedoms of the GNU foundation with respect to DJB software.

The freedom to run the program, for any purpose

DJB software gives you this.

The freedom to study how the program works, and adapt it to your needs

Yup. You have the source, and you can change it for your own needs. Also true.

The freedom to redistribute copies so you can help your neighbor

You can distribute the source package as it exists at the official distribution web site, and you can distribute patches. So, this one is true, too.

The freedom to improve the program, and release your improvements to the public, so that the whole community benefits.

This is ALSO true. A bunch of whiny ignorant assholes are calling djb software more restrictive than proprietary licenses! DJB provides you the source, the ability to modify it, the ability to redistribute your patches, and the latest source.

The things that are missing are the right to distribute a modified and/or binary version of the software. You can only distribute source (unless you can establish on install that the binary is built just like the source build would do it), and modification can only be in patch form.

But, in general, all GNU freedoms are preserved, and the source is freely available (free as in beer).

BIND is too pervasive

[NZGreg]

One of the least appreciated strengths of the internet is its diversity. MS Office (macro viruses) and MS Outlook (all the other viruses) are great examples of how dangerous a homgenous environment can be - and so is BIND.

The logical conclusion is that we should all actively explore and support alternative solutions, and luckily the internet community seems to enjoy doing this anyway. I use MaraDNS - a simple, secure, open-source, well supported, low overhead authoritative and caching name server that does zone transfers (with a crap website, unfortunately).

So if you aren't hogtied by corporate policy, try an alternative - increase diversity - strengthen the internet. Just don't all switch to MaraDNS...

Brian: You don't need to follow me! You're all individuals!
Crowd (together): Yes! We're all individuals!
Individual: I'm not.

this wouldn't be a problem ...

[darkuncle]

if your named was running in a chroot jail to begin with. Like, say, OpenBSD's. The more vulnerabilities I see published, the more I see the truth in what Bruce Schneier was talking about when he noted that total security can not be achieved, and the the goal of developers should instead be software and systems that fail gracefully.
Running your daemons with restricted privs, in a chroot jail, is a great example of software that fails gracefully.

Re:QPL?

[rickmoen]

yerricde wrote:

Has Bernstein put permission to redistribute any patches against djbdns in writing? If so, then the license becomes roughly equivalent to the Trolltech QPL.

As Prof. Bernstein himself has pointed out, as a matter of copyright law, patches are considered analogous to commentary on the original work, and not as derivative works. Thus, the author of the original work has no claim upon them.

So, with a source-available proprietary software package like djbdns, you can end up with a quasi-free software ecology based around distribution of patches and compile-time modification. Inevitably, those patches end up being very seldom regression-tested against one another. Also, if the base package ever ceases to be maintained, continuing development via patch-distribution alone isn't really very practical. It would rapidly become such a hassle that I'm pretty sure the project would effectively die, at that point.

The fix for that problem is of course licensing that includes a right to fork [linuxmafia.com]. But that's possible only if the copyright holder is willing to grant that right, which Prof. Bernstein (for most of his project) is not.

That is not intended as a criticism of Prof. Bernstein (whom I admire for his dogged defence of crypto rights), nor of his software (even though I don't like or use the latter). It's just the facts of copyright law and licensing as I understand them.

Buggy? At least the vulnerability mentioned in the article does not affect most recent version of BIND 9.x.

Indeed. One of the most distressing aspects of Prof. Bernstein's flying squadron of groupies is their characteristic shading of the truth on well-known key issues. One of those issues is the vital distinction between BIND8 and BIND9, which by and large they're fully aware are distinct codebases following a from-scratch rewrite specifically to jettison the inherent unmaintainability of the legacy BIND8 codebase -- but they find it convenient to slur the new codebase with the old one's faults. Another is their characteristic refusal to compare the Qmail MTA against anything other than Sendmail -- when the obvious comparisons [linuxmafia.com] are Qmail/Postfix/Courier (all modular designs) and Sendmail/Exim (both monolithic designs where process instances drop privilege according to role). A third is their curious inability to ever say the words "proprietary" or "not open source", instead making excuses, changing the subject, and talking around that point.

(I'll hasten to add that Prof. Bernstein clearly isn't responsible for his acolytes' conduct.)

Rick Moen
rick@linuxmafia.com

Re:Tips

[Electrum]

You are being very naive. Please read this comment of mine, I don't want to repeat myself. The point is, that basically a "security guarantee backed by a cash reward" doesn't mean anything. I'm really surprised that people, sometimes even educated people, are still trusting in such poor marketing tools as "cracking contests."

You shouldn't trust the software because of the cash guarantee. You should trust it because it is secure.

Some people will audit the software in hopes of claiming the reward, either for the monetary or ego value. It also means that the author has faith in his software. How many other people will put a cash guarantee behind their code? Dan doesn't have any commercial reasons to offer this guarantee. He does it because he knows his code is secure. Why won't the BIND authors guarantee their code? Because they know that they can't.

Look at it from another perspective. How many people here dislike Dan for one reason or another? How many of those people would love to find a hole in his software to discredit him? How many of those people have found one?

djbdns is secure in the same way that qmail is secure. Read the code for yourself. You will see how different it is from other software. It is quite easy to see how Dan can guarantee that it is secure.

Re:Escape

[Anonymous Coward]

Wow speedy. postfix is waaaay better than qmail

More about the right to fork

[rickmoen]

Afterthought: The right to fork is such a fundamental assumption of the open-source model that it's easy to forget other vital reasons for it, beyond just the code being maintainable after its owner decides to quit. I posted before thinking of those.

When we say something is "open source", we're also implying the right to create derivative works descended from that codebase. E.g., the most important long-term fact about the Berkeley NET2, 4.4BSD, 4.4BSD-Lite, and 4.4BSD-Lite2 releases is that we got 386BSD, and then {Free|Net|Open}BSD from them. Had the U.C. Berkeley Computer Science Research Group used a Bernstein-style no-forking-allowed licence, there would have been none of those things: Their creation would have been illegal.

So, I think if you mull over your assertion that you "don't think that [a right to fork] is necessary for something to be free (as in GNU free)", you'll see that this right actually is absolutely vital and essential to the very concept.

Rick Moen
rick@linuxmafia.com

Re:patches already available

[evilviper]

Microsoft has made Outlook immune to viruses

It wasn't long ago that a forged 'trusted' mime type would allow an .exe to be automatically executed without warning. So please explain this "immue to viruses" thing, it doesn't make any sense to me.

Re:Or you could use bind 9...

[Phroggy]

It uses RFC-specified zone file format

Is it just me, or does the RFC look like it was documenting BIND's implementation, rather than defining a standard which BIND then implemented?

Re:Tips

[Anonymous Coward]

How about Microsoft's "Hack our IIS Server" contest running on Windows 2000 Beta? Lots of people dislike Microsoft and would love to dicredit them. Nobody hacked the server and claimed the prize. Therefore IIS is secure (snicker).

Re:patches already available

[anshil]

The only thing that proves is that the majority of users don't keep their systems patched, since Microsoft has made Outlook immune to viruses (yes, IMMUNE COMPLETELY IMMUNE)... been that way for over a year now, maybe approaching 2 years.

Saying such thing is completly unprofessional. It's like selling the unsinkable ship, the unfailable airplane, the unbreakable firewall, etc. etc. Anybody telling nonsense like that should get an unprofessional stamp on his forehead.

Yes. And if the patch is slow in coming out, it's because they are regression testing it. Do open source clients regression test their patches against thousands of machines with different configurations, or just release it as-is and post followup patches if they have problems?

Oh and thats why service packs often introduce new bugs. And thats why some fixes are exclusive. Meaning you can apply fix A or fix B. applying both patches will not work. If you apply fix A you get Bug C. Talk with some _real_ admin of a larger microsoft network, you will hear the tears.