Date: Wed, 9 Jul 2008 20:34:18 +0800 (WST) From: Dean Hollister <dean@odyssey.apana.org.au> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/125434: DNS Cache Poisoning Issue in all dns/bind* ports Message-ID: <200807091234.UAA52282@odyssey.apana.org.au> Resent-Message-ID: <200807091240.m69Ce186030073@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 125434 >Category: ports >Synopsis: DNS Cache Poisoning Issue in all dns/bind* ports >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jul 09 12:40:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Dean Hollister >Release: FreeBSD 4.11-STABLE i386 >Organization: Australian Public Access Network Association Inc >Environment: System: FreeBSD odyssey.apana.org.au 4.11-STABLE FreeBSD 4.11-STABLE #0: Sat Nov 17 20:13:52 WST 2007 root@odyssey.apana.org.au:/usr/src/sys/compile/ODYSSEY i386 >Description: (Taken from the ISC advisory) A weakness in the DNS protocol may enable the poisoning of caching recurive resolvers with spoofed data. DNSSEC is the only full solution. New versions of BIND provide increased resilience to the attack. Thanks to recent work by Dan Kaminsky of IOActive, ISC has become aware of a potential attack exploiting weaknesses in the DNS protocol itself. (Full details of the vulnerability will be explained by Kaminsky at the Black Hat conference on August 7th.) The weakness is inherent to the DNS protocol and not specific to any single implementation. The DNS protocol uses the Query ID field to match incoming responses to previously sent queries. The Query ID field is only 16 bits, which makes it an easy target to exploit in the particular spoofing scenario described by Kaminsky. ANYONE RUNNING BIND AS A CACHING RESOLVER IS AFFECTED. >How-To-Repeat: >Fix: IF YOU ARE RUNNING BIND AS A CACHING RESOLVER YOU NEED TO TAKE ACTION. YOU ARE ADVISED TO INSTALL EITHER THE PATCHES (9.5.0-P1, 9.4.2-P1, 9.3.5-P1) OR THE NEW BETA RELEASES (9.5.1b1, 9.4.3b2) IMMEDIATELY. The patches will have a noticeable impact on the performance of BIND caching resolvers with query rates at or above 10,000 queries per second. The beta releases include optimized code that will reduce the impact in performance to non-significant levels. DNS administrators who operate these servers behind port-restricted firewalls are encouraged to review their firewall policies to allow this protocol-compliant behavior. Restricting the possible use of various UDP ports, for instance at the firewalls, in outgoing queries and the corresponding replies will result in decreased security for the DNS service. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807091234.UAA52282>