Sign in / up

back to article Open source nameserver used by millions needs patching

Open source DNS software vendor PowerDNS has advised users to patch its "Authoritative" and "Recursor" products, to squish five bugs disclosed today. None of the bugs pose a risk that PowerDNS might itself be compromised, but this is the DNS: what an attacker can do is fool around with DNS records in various ways. That can be …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Bronek Kozicki

    "That can be catastrophic if done right: for example, if a network is tricked into advertising itself as the whole of the Internet, it can be hosed"

    I only ever managed small DNS servers but the above would require a change in the NS record. This would hose the sub-domain (relative to one of the domains hosted on the vulnerable server) but nothing beyond. Alternatively, a new zone could be imaginably added to the vulnerable server hence allowing spoofing of any domain within the organization, but there is no "advertising itself" element here either. DNS is no BGP. Unless I missed something?

    4 0 Reply
    1. Ben Tasker
      Reply Icon

      but there is no "advertising itself" element here either. DNS is no BGP. Unless I missed something?

      Took me a few reads too....

      Assuming El Reg hasn't just gone off the deep-end, they're talking about the recursor (which can also use locally configured data rather than going to the authoritatives). So you could potentially inject configuration which would tell the recursor to return a specific set of A records for any lookup.

      If you stuck the recursor's own IP in there, then you could DDoS it (though you wouldn't gain much). It's more likely though that an attacker would just redirect specific domains to their own servers (for some MiTM goodness).

      No change in NS records required to achieve that.

      But yeah, there's no advertising itself - and the reference to youtube getting blackholed does leave me a little unsure that El Reg hasn't confused BGP and DNS.

      5 0 Reply
  2. Nick Stallman

    Err yeah I think this article is confusing the perils of dns and bgp. The possible outcomes really are more to do with bgp which powerdns has nothing to do with.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like