UPDATE: Some domain name system (DNS) server implementations are at risk for denial-of-service attacks after a vulnerability was disclosed and patched in a few popular server packages, including BIND, OpenDNS, PowerDNS and NLnetLabs.
According to an advisory from DHS and the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University, many other vendors, including Apple, Cisco and Microsoft, have yet to report if their implementations are vulnerable.
Recursive DNS resolvers are in the crosshairs with this issue; queries made to a malicious authoritative server can cause the resolver to follow an infinite chain of referrals, the advisory said.
“By making use of maliciously constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND 9 uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation,” the Internet Security Consortium which runs the BIND project said in its advisory. “This can lead to resource exhaustion and denial of service (up to and including termination of the named server process.)”
The issue is resolved in BIND 9.9.6-P1 and 9.10.1-P1; versions 9.0.x-9.8.x, 9.9.0-9.9.6, 9.10.0-9.10.1 are affected. Limiting the number of referrals followed and the number of simultaneous queries allowed—delegation chaining—resolves the issue, ISC said.
With regard to BIND servers, ISC warns that BIND 9.6-ESV and BIND 9.8 are end of life and no longer are supported. Organizations should upgrade to the closest supported version, ISC said.
Nominum, dnsmasq and djbdns are not affected by this issue, the DHS advisory said. It is unknown yet whether Apple, Cisco, F5 Networks, GNU glibc, and many others are affected.
Recursive DNS servers are provided by ISPs in order to increase efficiency and performance with the resolution of DNS queries. Sometimes, however, open recursive resolvers can be abused and used as the launchpad for distributed denial of service attacks. Known as amplification attacks, hackers can use them spoof traffic and overload targets with bad traffic, sometimes at a rate of better than 100-to-1 amplification, experts say.
ISC also released a second advisory this week warning of a issues identified in the GeoIP feature in BIND 9.10, which could cause BIND to exit with an “assertion failure.”
“Two are capable of crashing BIND — triggering either can cause named to exit with an assertion failure, resulting in a denial of service condition,” ISC said it an advisory. “A third defect is also corrected, which could have caused GeoIP databases to not be loaded properly if their location was changed while BIND was running.”
This article was updated to reflect that OpenDNS has patched against this issue.