From owner-freebsd-isp Sat Nov 11 13:56:59 2000 Delivered-To: freebsd-isp@freebsd.org Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55]) by hub.freebsd.org (Postfix) with ESMTP id 0B5C537B4C5; Sat, 11 Nov 2000 13:56:47 -0800 (PST) Received: from FreeBSD.org (Studded@master [10.0.0.2]) by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id NAA05137; Sat, 11 Nov 2000 13:55:00 -0800 (PST) (envelope-from DougB@FreeBSD.org) Message-ID: <3A0DC034.EA4CA536@FreeBSD.org> Date: Sat, 11 Nov 2000 13:55:00 -0800 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Greg Lehey Cc: heckfordj@psi-domain.co.uk, freebsd-isp@FreeBSD.org, "Mathias =?iso-8859-1?Q?K=F6rber?=" , FreeBSD Committers Subject: Re: BIND 8.2.2-P5 Possible DOS References: <00110819041604.01782@freefire.psi-domain.co.uk> <3A0AE465.7825FF37@FreeBSD.org> <20001110193512.I1686@sydney.worldwide.lemis.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greg Lehey wrote: > > [originally sent to -ISP] > > On Thursday, 9 November 2000 at 9:52:37 -0800, Doug Barton wrote: > > Jamie Heckford wrote: > >> > >> Verified this earlier... make sure your nameservers are configured correctly!! > >> > >> Nov 8 19:00:47 atlas named-xfer[78583]: [x.x.x.x] no SOA found for xxx, SOA > >> query got rcode 3, aa 1, ancount 0, auc ount 1 > >> > >> Nov 8 19:01:05 atlas named[276]: unsupported XFR (type ZXFR) of "xxx" (IN) to > >> [x.x.x.x].1368 Nov 8 19:01:21 atlas named[276]: d_rcnt-- == 0 > >> > >> Nov 8 19:01:21 atlas /kernel: pid 276 (named), uid 53: exited on signal 6 > >> > >> Nov 8 19:01:21 atlas named[276]: d_rcnt-- == 0 > >> > >> ---------- Forwarded Message ---------- > >> Subject: BIND 8.2.2-P5 Possible DOS > >> Date: Tue, 7 Nov 2000 13:40:49 +0100 > >> From: "Fabio Pietrosanti (naif)" > >> > >> Hi, > >> playing with bind and ZXFR feature ( zone transfer compressed with a possible insecure > >> execlp("gzip", "gzip", NULL); ), i discovered a Denial Of Service against Bind 8.2.2-P5 . > >> > >> By default Bind 8.2.2-P5 it's not compiled with ZXFR support unless you define it with #define BIND_ZXFR > >> so it will refuse any ZXFR transfer, because it doesn't support it. > >> But now what appens? Look here... > >> > >> ################################ > >> zone to transfer: zone.pippo.com > >> dns server: dns.pippo.com 192.168.1.1 > >> me: naif.gatesux.com 10.10.10.10 > >> I send a Zone Trasnfer request using "-Z" switch with means that i wish to use ZXFR. > >> dns.pippo.com does'nt support ZXFR and have "allow-transfer{}" not configured, so everyone > >> could ask him for *.zone.pippo.com ... > >> > >> [~/bind/src822p5/bin/named-xfer] $ ./named-xfer -z zone.pippo.com -d 9 -f pics -Z dns.pippo.com > >> named-xfer[29297]: send AXFR query 0 to 192.168.1.1 > >> named-xfer[29297]: premature EOF, fetching "zone.pippo.com" > >> > >> On the server's log: > >> Nov 7 11:19:09 dns.pippo.com: named[188510]: approved ZXFR from [10.10.10.10].2284 for "zone.pippo.com" > >> Nov 7 11:19:09 dns.pippo.com: named[188510]: unsupported XFR (type ZXFR) of "zone.pippo.com" (IN) to [10.10.10.10].2284 > >> > >> Then the server "*** CRASHED ***" . > >> > >> I should assume that bind 8.2.2-P5 it's vulnerable ( Please someone test and confirm this kind of dos) > >> and bind-9.0.0 has no support for ZXFR . > >> > >> [~/bind] $ find src822p5/ -type f -exec grep -i zxfr \{\} ';' | wc -l > >> 234 > >> [~/bind] $ find bind-9.0.0/ -type f -exec grep -i zxfr \{\} ';' | wc -l > >> 0 > >> > >> A lot of DNS Server are misconfigured, and allow zone-transfer to any, so they are dossable... > > > > The latest versions of -current and -stable both have BIND 8.2.3-T6b, > > which has this, and several other nasties fixed. I've been running that > > version of BIND on a highly visible, heavily loaded public ns for > > several months without problems. > > I'm currently in a Singapore Linux User group meeting, and we were > discussing this matter. Mathias Körber of Nominum is of the opinion > that it's wrong to use BIND 8.2.3-T6b in -STABLE. He also doubts that > this particular bug is fixed in this version. I don't have enough > knowledge of the issues to comment. Does anybody else? 8.2.3 starting with the very first alpha test release had the zxfr bug fixed. This branch also has all other known bugs from the 8.2.2 branch fixed, plus various other improvements. Up till the time that 8.2.2-P7 was released on Nov. 9, 8.2.3-T6B was unarguably the most stable, and least likely to be exploited version of BIND available. It has been well proven on many heavily loaded sites (including mine for the last two months) and Jeroen discussed this question at great length already. The only arguments (and I use that term loosely) I've seen against the use of 8.2.3-T6B in the tree have all boiled down to, "I don't like beta software in -Stable." While I have some sympathy with that notion, it comes down to the fact that we want the best possible version of the contributed products that we use in the tree, and this is it, regardless of the name of the current release. An extremely apt analogy would be our own use of the term "beta," as in, "FreeBSD 4.2-BETA." Our product doesn't magically get better the day the "4.2-RELEASE" tag is laid down. Substantive arguments in the terms of, "BIND 8.2.3-T6B does such-and-such under these conditions, which is bad because..." should be directed to freebsd-arch@freebsd.org (mainly because that's where Jeroen has held this same type of discussion in the past). It should be clear of course that I don't speak for Jeroen, but I have discussed this with him, and I fully support his decision. I've got years of experience in DNS administration, and I follow the state of BIND development pretty closely, so I feel confident in my opinion that this is the best choice at this point in the game. Doug -- Life is an essay test. Long form. Spelling counts. Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message