Date: Wed, 9 May 2001 11:26:46 -0600 (MDT) From: webmaster <russ@mtanet.net> To: freebsd-questions@FreeBSD.ORG Subject: A new bind vulberability? Message-ID: <Pine.BSF.4.21.0105091104540.9798-100000@C1521581-A.BLLNGS1.MT.HOME.COM>
next in thread | raw e-mail | index | archive | help
Hi, I have two dns servers running freebsd/bind 8.2.3-T6B in which bind appears to be vulnerable to version questions asked in a certain manner. When dig is used in a certain way, and I don't know exactly how not being at our attacker's terminal, it causes named to exit, signal 11 pretty effectively DOSing us. Below are entries from the logging we have going for named and the outputs of uname -a and dig. Please see below and respond with any suggestions/coments that you think would help. Begin Log entries and outputs: =========================================================================== FROM NS1 queries.log 09-May-2001 01:59:00.905 XX+/127.0.0.1/1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 .0.0.0.0.0.0.0.0.0.0.0.ip6.int/PTR/IN 09-May-2001 01:59:01.179 XX+/127.0.0.1/0.0.0.127.in-addr.arpa/PTR/IN 09-May-2001 02:05:37.244 XX /64.14.48.132/techout.net/MX/IN 09-May-2001 02:07:33.558 XX /194.236.70.13/version.bind/TXT/CHAOS [Right after the question above is asked from 194.236.70.13, named exits the next entries are not until I restart named the next morning at 9:29] 09-May-2001 09:29:32.768 XX /24.0.2.76/mail.lockdoctor.net/A/IN 09-May-2001 09:29:34.726 XX /64.208.134.12/bikemotor.com/A/IN 09-May-2001 09:29:34.857 XX /64.208.134.12/bikemotor.com/MX/IN 09-May-2001 09:29:37.768 XX /24.0.2.76/mail.lockdoctor.net/A/IN 09-May-2001 09:29:39.855 XX /64.208.134.13/bikemotor.com/A/IN ====================================================================== FROM NS2 queries.log 10-May-2001 02:01:18.289 XX+/127.0.0.1/ns2.funkltd.com/AAAA/IN 10-May-2001 02:01:18.290 XX+/127.0.0.1/ns2.funkltd.com.funkltd.com/AAAA/IN 10-May-2001 02:09:20.483 XX /194.236.70.13/version.bind/TXT/CHAOS [Same thing here] 10-May-2001 10:11:04.062 XX /207.149.226.4/fleetwoodgaming.com/MX/IN 10-May-2001 10:11:36.533 XX /164.58.198.150/www.bikemotor.com/A/IN 10-May-2001 10:14:32.211 XX /4.24.21.198/www.bikemotor.com/A/IN ====================================================================== Output of uname and dig for ns1 uname -a FreeBSD NS1.funkltd.com 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Mon Feb 19 15:44:12 MST 2001 root@NS1.funkltd.com:/usr/src/sys/compile/NS1SMP3 i386 ---------------------------------------------------------------------- dig @204.212.40.206 version.bind. CHAOS TXT ; <<>> DiG 8.3 <<>> @204.212.40.206 version.bind. CHAOS TXT ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUERY SECTION: ;; version.bind, type = TXT, class = CHAOS ;; ANSWER SECTION: VERSION.BIND. 0S CHAOS TXT "8.2.3-T6B" ;; Total query time: 179 msec ;; FROM: C1521581-A.BLLNGS1.MT.HOME.COM to SERVER: 204.212.40.206 ;; WHEN: Wed May 9 11:23:05 2001 ;; MSG SIZE sent: 30 rcvd: 64 ====================================================================== Output of uname and dig for ns2: uname -a FreeBSD ns2.funkltd.com 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Thu Mar 29 04:59:21 GMT 2001 root@ns2.funkltd.com:/usr/src/sys/compile/GMANSYS i386 ----------------------------------------------------------------------- dig @204.212.40.207 version.bind. CHAOS TXT ; <<>> DiG 8.3 <<>> @204.212.40.207 version.bind. CHAOS TXT ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUERY SECTION: ;; version.bind, type = TXT, class = CHAOS ;; ANSWER SECTION: VERSION.BIND. 0S CHAOS TXT "8.2.3-T6B" ;; Total query time: 142 msec ;; FROM: C1521581-A.BLLNGS1.MT.HOME.COM to SERVER: 204.212.40.207 ;; WHEN: Wed May 9 11:24:20 2001 ;; MSG SIZE sent: 30 rcvd: 64 ========================================================================= End log entries What do you tink? Sincerely, ================================== Russ Mummey Systems Administrator/IT Manager MTANET.NET Phone 406.896.0688 Fax 406.896.0684 Email webmaster@mtanet.net ================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0105091104540.9798-100000>