Re: BIND Nuking

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Nathan J. Mehl: "Re: SNI-16: INN News Server Security Advisory"
• Previous message: Christopher Samuel: "Re: SNI-16: INN News Server Security Advisory"
• Maybe in reply to: Aveek Datta: "BIND Nuking"
• Next in thread: Robert Watson: "Re: BIND Nuking"

Why don't you try it out?

The answer: If the update comes from a host not on the access list, it
will be rejected, and the attempt will be logged, like this:

Jul 28 19:29:41 verdi named[2118]: unapproved update from [195.1.171.130].1594 for netsafe.no

Putting 127.0.0.1 in such an access list is probably not a good idea,
for what should be obvious reasons.

> If the answer is Yes, this could be very dangerous, every BIND 8.1.x
> compiled with ALLOW_UPDATES will be vulnerable, even if you don't have
> access to modify zones.

The answer is no. Also, by default, no updates are allowed. It's only
if "allow-update" *and* a suitable access list is included in the named
configuration file that you'll be able to trigger this bug - and then
only from the host(s) mentioned in the access list.

It's still a bug, and needs to be fixed. But there's no reason to be
overly worried - of the sites running bind 8 I'd guess that only a very
small fraction have configured named to accept updates.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

• Next message: Nathan J. Mehl: "Re: SNI-16: INN News Server Security Advisory"
• Previous message: Christopher Samuel: "Re: SNI-16: INN News Server Security Advisory"
• Maybe in reply to: Aveek Datta: "BIND Nuking"
• Next in thread: Robert Watson: "Re: BIND Nuking"