Date: Sat, 11 Nov 2000 13:55:00 -0800 From: Doug Barton <DougB@FreeBSD.org> To: Greg Lehey <grog@lemis.com> Cc: heckfordj@psi-domain.co.uk, freebsd-isp@FreeBSD.org, "Mathias =?iso-8859-1?Q?K=F6rber?=" <Mathias.Koerber@nominum.com>, FreeBSD Committers <cvs-committers@FreeBSD.org> Subject: Re: BIND 8.2.2-P5 Possible DOS Message-ID: <3A0DC034.EA4CA536@FreeBSD.org> References: <00110819041604.01782@freefire.psi-domain.co.uk> <3A0AE465.7825FF37@FreeBSD.org> <20001110193512.I1686@sydney.worldwide.lemis.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Greg Lehey wrote:
>
> [originally sent to -ISP]
>
> On Thursday, 9 November 2000 at 9:52:37 -0800, Doug Barton wrote:
> > Jamie Heckford wrote:
> >>
> >> Verified this earlier... make sure your nameservers are configured correctly!!
> >>
> >> Nov 8 19:00:47 atlas named-xfer[78583]: [x.x.x.x] no SOA found for xxx, SOA
> >> query got rcode 3, aa 1, ancount 0, auc ount 1
> >>
> >> Nov 8 19:01:05 atlas named[276]: unsupported XFR (type ZXFR) of "xxx" (IN) to
> >> [x.x.x.x].1368 Nov 8 19:01:21 atlas named[276]: d_rcnt-- == 0
> >>
> >> Nov 8 19:01:21 atlas /kernel: pid 276 (named), uid 53: exited on signal 6
> >>
> >> Nov 8 19:01:21 atlas named[276]: d_rcnt-- == 0
> >>
> >> ---------- Forwarded Message ----------
> >> Subject: BIND 8.2.2-P5 Possible DOS
> >> Date: Tue, 7 Nov 2000 13:40:49 +0100
> >> From: "Fabio Pietrosanti (naif)" <fabio@TELEMAIL.IT>
> >>
> >> Hi,
> >> playing with bind and ZXFR feature ( zone transfer compressed with a possible insecure
> >> execlp("gzip", "gzip", NULL); ), i discovered a Denial Of Service against Bind 8.2.2-P5 .
> >>
> >> By default Bind 8.2.2-P5 it's not compiled with ZXFR support unless you define it with #define BIND_ZXFR
> >> so it will refuse any ZXFR transfer, because it doesn't support it.
> >> But now what appens? Look here...
> >>
> >> ################################
> >> zone to transfer: zone.pippo.com
> >> dns server: dns.pippo.com 192.168.1.1
> >> me: naif.gatesux.com 10.10.10.10
> >> I send a Zone Trasnfer request using "-Z" switch with means that i wish to use ZXFR.
> >> dns.pippo.com does'nt support ZXFR and have "allow-transfer{}" not configured, so everyone
> >> could ask him for *.zone.pippo.com ...
> >>
> >> <naif@naif> [~/bind/src822p5/bin/named-xfer] $ ./named-xfer -z zone.pippo.com -d 9 -f pics -Z dns.pippo.com
> >> named-xfer[29297]: send AXFR query 0 to 192.168.1.1
> >> named-xfer[29297]: premature EOF, fetching "zone.pippo.com"
> >>
> >> On the server's log:
> >> Nov 7 11:19:09 dns.pippo.com: named[188510]: approved ZXFR from [10.10.10.10].2284 for "zone.pippo.com"
> >> Nov 7 11:19:09 dns.pippo.com: named[188510]: unsupported XFR (type ZXFR) of "zone.pippo.com" (IN) to [10.10.10.10].2284
> >>
> >> Then the server "*** CRASHED ***" .
> >>
> >> I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone test and confirm this kind of dos)
> >> and bind-9.0.0 has no support for ZXFR .
> >>
> >> <naif@naif> [~/bind] $ find src822p5/ -type f -exec grep -i zxfr \{\} ';' | wc -l
> >> 234
> >> <naif@naif> [~/bind] $ find bind-9.0.0/ -type f -exec grep -i zxfr \{\} ';' | wc -l
> >> 0
> >>
> >> A lot of DNS Server are misconfigured, and allow zone-transfer to any, so they are dossable...
> >
> > The latest versions of -current and -stable both have BIND 8.2.3-T6b,
> > which has this, and several other nasties fixed. I've been running that
> > version of BIND on a highly visible, heavily loaded public ns for
> > several months without problems.
>
> I'm currently in a Singapore Linux User group meeting, and we were
> discussing this matter. Mathias Körber of Nominum is of the opinion
> that it's wrong to use BIND 8.2.3-T6b in -STABLE. He also doubts that
> this particular bug is fixed in this version. I don't have enough
> knowledge of the issues to comment. Does anybody else?
8.2.3 starting with the very first alpha test release had the zxfr bug
fixed. This branch also has all other known bugs from the 8.2.2 branch
fixed, plus various other improvements. Up till the time that 8.2.2-P7
was released on Nov. 9, 8.2.3-T6B was unarguably the most stable, and
least likely to be exploited version of BIND available. It has been well
proven on many heavily loaded sites (including mine for the last two
months) and Jeroen discussed this question at great length already.
The only arguments (and I use that term loosely) I've seen against the
use of 8.2.3-T6B in the tree have all boiled down to, "I don't like beta
software in -Stable." While I have some sympathy with that notion, it
comes down to the fact that we want the best possible version of the
contributed products that we use in the tree, and this is it, regardless
of the name of the current release. An extremely apt analogy would be
our own use of the term "beta," as in, "FreeBSD 4.2-BETA." Our product
doesn't magically get better the day the "4.2-RELEASE" tag is laid down.
Substantive arguments in the terms of, "BIND 8.2.3-T6B does
such-and-such under these conditions, which is bad because..." should be
directed to freebsd-arch@freebsd.org (mainly because that's where Jeroen
has held this same type of discussion in the past). It should be clear
of course that I don't speak for Jeroen, but I have discussed this with
him, and I fully support his decision. I've got years of experience in
DNS administration, and I follow the state of BIND development pretty
closely, so I feel confident in my opinion that this is the best choice
at this point in the game.
Doug
--
Life is an essay test. Long form. Spelling counts.
Do YOU Yahoo!?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A0DC034.EA4CA536>