A vulnerability in BIND creates a means for miscreants to crash vulnerable Domain Name System servers, posing a threat to overall internet stability as a result. Exploits targeted at BIND (Berkeley Internet Name Domain Server) version 9 are already in circulation, warns the Internet Software Consortium, the group which develops …
Berkeley Internet Name Domain Server?
How about Berkeley Internet Name Daemon?
Ah, the joy...
Spent a while on this this morning. Fortunately the company for which I work implements DNS architectures which are not vulnerable.
Got to go and patch my own servers though ;)
And on the other side of the negative spinning Coin ....
It also allows for new master remote controllers to distribute more constructive, albeit alternative, code.
RE: Anonymous Stupid Coward
The acronym BIND was derived from its first domain use, Berkeley Internet Name Domain, and the server software being the "Berkeley Internet Name Domain (BIND) Server". It was not, as is sometimes assumed, Berkeley Internet Name Daemon
Marking something true as a Fail = Epic Fail
@ AC 29 July 12:50
The acronym BIND was derived from its first domain use, Berkeley Internet Name Domain, and the server software being the "Berkeley Internet Name Domain (BIND) Server". It was not, as is sometimes assumed, Berkeley Internet Name Daemon. The original acronym is clear from the title of and usage in the original BIND paper, The Berkeley Internet Name Domain Server.
The Penguin. Obviously, hes cute......
"BIND is used on a great majority of DNS servers on the Internet. DNS maps between easy-to-remember domain names, understood by humans, and their corresponding numerical IP addresses, needed by computers. Simply put, the system can be compared to a phone book for the internet."
Hang on... aren't the people who read this site supposed to be technically literate?
Surely you do not need to explain a fundamental technology as if we were Daily Mail readers.
1. Dump BIND.
2. Implement DJBDNS.
The latter has yet to have a significant bug found in it, and fully implements DNS RFCs while BIND violates several.
"The latter has yet to have a significant bug found in it"
probably because hardly anyone usesit.
", and fully implements DNS RFCs while BIND violates several."
Since BIND is the defacto DNS reference implementation if could be said that where BIND violates the RFCs , the RFCs should be updated. I'm not saying thats a good thing but...
Re: Ah, the joy...
"Spent a while on this this morning. Fortunately the company for which I work implements DNS architectures which are not vulnerable." .... By John Robson Posted Wednesday 29th July 2009 13:39 GMT
DNS architectures are always sweetly tempted by sticky XSS Programs ... for AIdDynamic Virile Growth for Markets Capture ..... for an XXXXCellent PreDominance.
The Ubuntu desktop Linux auto-update system has promptly installed a new Bind9 on my PC.
@Anon ... Just FEI
Tux, just because...
I run Windows DNS and so am unaffected by this vulnerability! Who's laughing now, *nixtards?
Where I am we use bind 8 on BSD4. Yes, that's BSD 4. The boss isn't one for updating stuff that is working and I for one can't really blame him.
So, I assume that bind 8 is unaffected?
Automatic update is not a good thing
Automatic update of server software? *BAD* idea...
It should work, but sometimes it doesn't, and there may be custom code or other reasons not to do so.
Not on debian yet..
Grr.. debian hasn't rolled out the update yet. They're normally fairly quick with this stuff.. especially as it's a distribtion used commonly by servers.
re automatic updates and windows
The Windows DNS server caused me any amount of grief in the past, not because I was trying to maintain it but because some idiot who thought it was a good idea meant that I had to spend a lot of time trying to find ways around its egregious behaviour. I'll wait a couple of days for the next Windows vulnerability than then I'll start laughing again.
Mind you, would wouldn't be laughing much if your upstream ISP/DNS provider didn't patch his systems. You're in a seriously small minority running the Windows DNS server.
I really don't know why you think automatic updates of the kind that the various major distros do. For a start, the update does not mess with configuration unless the configuration itself needs fixing and then you get to merge the new configuration with the old one.
Or are you thinking of the kind of update that happens without any user intervention? The kind that no one actually uses? The ubuntu auto-update someone mentioned earlier tells you updates are available and lets you choose which ones you want. For my money (and the continued security of my servers) I'd choose the way that gives me the patch in a few hours with little or no work on my part.
And don't get me started on Bind 8 on BSD 4 -- it may be working, but is it invulnerable to the known exploits of the last few years?
The cache poisoning vulnerability is a function of how DNS itself works, as opposed to being anything specific to any particular package, and all servers are affected by it to a greater or lesser extent. At least DJBDNS has never had remote root or remote crash exploits. Some of us still remember the seemingly monthly updates needed with BIND some years back.
"Do not fear the penguins, fear the black hats instead".
Bind 8 has not been supported for years and is undoubtedly vulnerable to most of the recent security issues. Upgrade *NOW*.