back to article Bug puts net's most popular DNS app in Bind

Makers of Bind have warned of a security vulnerability in versions of the domain name resolution application that could allow attackers to trick servers into returning unauthorized results. The bug in the Berkeley Internet Name Domain program surfaces only when the DNSSEC security implementation is enabled and the name server …

COMMENTS

This topic is closed for new posts.
WTF?

"Rare but remote" ???

Bind has suffered heaps of exploits of various sorts over the years. I'm with DJB, it's a pile of steaming poo, even if he is an opinionated old git.

For comparison:

http://www.kb.cert.org/vuls/byid?searchview&query=bind

http://www.kb.cert.org/vuls/byid?searchview&query=djbdns

http://www.kb.cert.org/vuls/byid?searchview&query=nsd

I'd agree with DJB more if he didn't have to rewrite syslog to implement a good dns server.

0
0
Pint

Correction

"and the name server accepts queries from the internet at large, a designation known as recursive"

A DNS server is not recursive if it accepts queries from the internet.

It's recursive if it tries to resolve queries for domains it's not authoratative for, by passing those queries on to the actual authoratative servers (those listed in the NS records for the domain) and then passes the reply back to the client.

So if your DNS server is the NS server for "theregister.co.uk", then it will resolve things like www.theregister.co.uk to an IP, if queried.

If it's recursive, and you ask it for the IP of www.google.com, your DNS server will query googles DNS servers, and return the IP it gets back to you. If it's not recursive and you ask for www.google.com, it will respond that it has no record of that name.

It's got nothing to do with accepting queries from the internet, a DNS server on a LAN can be recursive or not, depending on what you need to achieve.

2
0
This topic is closed for new posts.

Forums