Security Alert: DNS Security Vulnerability

July 10th, 2008 by Cory Wright

Earlier this week Dan Kaminsky announced a major security vulnerability in the 25 year old DNS protocol. DNS is used to translate human readable addresses such as www.google.com into IP addresses that computers use to talk to one another across networks such as the Internet. Kaminsky, a security researcher with IO Active, stressed that the issue was in the design of DNS and therefore affected software across all operating systems.

Of course, the most popular DNS software on Linux is BIND, which is shipped with almost every distribution. Kaminsky worked with many major software vendors to ensure that security updates were available simultaneously. Debian, Red Hat, Ubuntu, and many other distributions have already provided updated versions of BIND. One thing to note is that if you are running BIND 8 servers anywhere you should take this opportunity to upgrade to BIND 9. The BIND 8 codebase is no longer supported, and security updates are not available.

Even though this is a protocol issue, some software and services are not affected. Systems using Dan Bernstein's djbdns package are not vulnerable to this type of attack. Users of PowerDNS and OpenDNS are also not susceptible. Kaminsky has provided a tool on his website that you can use to check your DNS service.

Although this is a major security issue, the details of the exploit have not yet been released by Kaminsky. The coordinated effort with vendors gave them a chance to patch their systems before Kaminsky takes the stage at the annual Black Hat security conference next month in Las Vegas. It is expected that he will discuss the vulnerability in depth at the conference, at which point exploits are sure to begin appearing. An Executive Overview (PDF) of the vulnerability is available, along with the CERT Advisory. A list of the affected systems is given near the bottom of the advisory.

If you manage DNS services please take time to update your system with the latest software available.

__________________________

Cory Wright is a blogger for LinuxJournal.com

Special Magazine Offer -- Free Gift with Subscription
Receive a free digital copy of Linux Journal's System Administration Special Edition as well as instant online access to current and past issues. CLICK HERE for offer

Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.

It seems that djbdns has

On February 19th, 2009 Anonymous (not verified) says:

It seems that djbdns has other problems:

http://secunia.com/advisories/33855/

Another (non affected) Service

On July 11th, 2008 FredR says:

I currently run Bind 9 as my hidden master, and the world points to EveryDNS which I believe runs djbdns. It's no surprise, because it's a free service offered by a fellow named David Ulevitch, one of the guys on the OpenDNS team.

Although my Bind 9 on Slackware 9.1 was vulnerable, (it's now patched), I was relieved to see this EveryDNS uses unaffected software as the whole internet points to it for my domains.

I love the service, it's been great, and geographically diverse, too! I've been using it for years and even donated a little. Give it a try!

__________________________

-- FLR or flrichar is a superfan of Linux Journal, and goofs around in the LJ IRC Channel

Only resolving DNS is affected

On July 11th, 2008 Cory Wright says:

This exploit only affects DNS resolvers. EveryDNS is an authoritative DNS service (using tinydns and axfrdns from djbdns), and therefore isn't vulnerable. BIND is both a resolving DNS server and an authoritative DNS server in the same package. Where OpenDNS could have been vulnerable (it isn't), EveryDNS doesn't qualified for this exploit.

__________________________

Cory Wright is a blogger for LinuxJournal.com

Post new comment

The Latest


Package Management With Zypper	Nov-05-09
Court Gets A Torrent-full About Linux	Nov-04-09
Forget Rasterbator, Posterazor!	Nov-04-09
Who Needs Time Machine with "Back in Time"	Nov-03-09
Tech Tip: Restore Ctrl-Alt-Backspace in Ubuntu	Nov-03-09
Stories Swirling About Skype's Source	Nov-02-09

Each week Linux Journal editors will tell you what's hot in the world of Linux. You will receive late breaking news, technical tips and tricks, and links to in-depth stories featured on www.linuxjournal.com.

Tech Tip Videos

Forget Rasterbator, Posterazor!
Nov-04-09
Who Needs Time Machine with "Back in Time"
Nov-03-09
Updating ISOs with zsync
Oct-29-09
Forgetting Sudo (we've all done it)
Oct-26-09

Recently Popular


Boot with GRUB	4.373135
Why Python?	4.518595
Chapter 16: Ubuntu and Your iPod	4.642855
Who Needs Time Machine with "Back in Time"	4.5
Package Management With Zypper	5
Monitoring Hard Disks with SMART	4.72449

December 2009, #188

If last month's Infrastrucuture issue was too "big" for you then try on this month's Embedded issue. Find out how to use Player for programming mobile robots, build a humidity controller for your root cellar, find out how to reduce the boot time of your embedded system, and if you're new to embedded systems find out the basics that go into one. You can also read about the Beagle Board, the Mesh Potato and a spate of other interestingly named items. And along with our regular columns don't miss our new monthly column: Economy Size Geek.

Read this issue

Contribute to the Linux Journal Flickr Pool
Follow Linux Journal on Twitter
Add Linux Journal to your RSS reader
Meet other readers on Facebook
Get Linux Journal Miis