Men & Mice Community

Has anyone seen this yet:

http://isc.sans.org/diary.html?storyid=5713

I just tested our two QuickDNS OS X machines and both exhibit the vulnerability.

Will Men&Mice be issuing a fix?

Thanks!

- John May

This message was edited 3 times. Last update was at 30/01/2009 02:00:18

The problem is that the query is for something in cache. Therefore, in older versions of BIND 9, you will have a hard time restricting access to this.

Upgrade to BIND 9.4.3-P1. The problem will go away as long as your Query Restrictions panel in the server's Options window does not show "allow any".

To upgrade a Mac, for example, do the following in a Terminal window (similar instructions will work on most Linux distributions; a similar procedure will be needed on Solaris):

Some notes:

1. After the second command, the output should be:

A better method to verify the package, if you have GnuPG installed (e.g. the MacGPG package), is:

This should give a multi-line message including probably a warning about the key not being trusted, but should not give any other error.

2. The ./configure step has several parameters, and you may need to tweak these for your installation. For example, you may not need the overhead of openssl (which enables TSIG and DNSSEC). You may not need to enable threading, which can come at a cost. You may want or need to enable IPv6.

3. This version of BIND will be overwritten the next time Apple sends out an update that includes BIND. You may want to think about using a different --prefix. Alternatively, you could use DESTDIR when installing to install into a temp directory, like this:

Thanks as always Chris!

- John

A few other questions:

- How critical do you consider performing this update?

- Are the configure options you specified what are used with QuickDNS' default BIND installation?

Thanks!

- John

jmay wrote:How critical do you consider performing this update?

It's important for the sake of being a good netizen. In general, we prefer to let operating system vendors handle BIND updates, but lately they haven't been doing such a good job.

Also, if you weren't already at 9.4.3-P1 (or 9.3.6-P1, or 9.5.1-P1, or 9.6.0-P1), then you had some other vulnerabilities to worry about. (Please don't use 9.5.1-P1 in production unless you need GSS-TSIG support - we consider it to still be too new to be relied upon. And do not use 9.6.x for anything other than testing purposes. And you really should be moving up to 9.4.x if you're still on 9.3.x.)

jmay wrote:Are the configure options you specified what are used with QuickDNS' default BIND installation?

I'm honestly not sure. I don't know that anyone remembers, because it's been a while since the last time we bundled BIND with Men & Mice Suite (since version 5.0.3, and for Mac OS X only). There's no longer a one-size-fits-all solution to configuring BIND, though.

The options as specified are reasonable for most purposes when using Mac OS X. However, be aware of the launchd/deaf-at-startup problem, which you can work around with a modified launchd job and a wrapper script. This has been discussed at some length elsewhere in the forum.

When using other operating systems, it may be necessary to disable openssl if the openssl developer headers aren't installed. For Mac OS X, make sure you're up to date on software updates, or you may be using an old and insecure version of openssl, in which case you're better off disabling it when building BIND.

The threading used in BIND can make troubleshooting problems more difficult, and it's usually only useful on servers that get heavily loaded. One of the first things we see the ISC folks recommend when a BIND installation is crashing, is to recompile with threads disabled.

To simplify the packaging up of BIND, I've written this script, which I call makebind. I've stored it in /Developer/source, and I execute it from that location.

The script codifies the configuration options I want to specify and builds a distribution tarball for the hardware platform I'm on. I've enabled IPv6 because I have full IPv6 connectivity to the Internet.

To execute the command, give it an argument of the BIND version desired. For example:

This results in a file in the current directory (e.g. /Developer/source) named bind-9.4.3-P1.dist.tar.gz that contains the binary distribution of BIND, including all supporting files (manpages, developer include files, utilities, etc.).

The script does everything but install the result. Therefore, to install, I just use a command like this:

How do I know if I need to enable IPv6?

- John

jmay wrote:How do I know if I need to enable IPv6?

On your name server, execute this command:

ping6 2001:503:ba3e::2:30

Do you get responses (pongs)?

You do not *need* to enable IPv6 right now, but if you can get IPv6 connectivity, and can set it up on your network, it's a good thing. The more people use IPv6, the more people will want to use IPv6. We're not far from the day when not everyone can have IPv4 connectivity.

No pongs, guess I leave it off? Does it hurt to have it on?

- John

jmay wrote:No pongs, guess I leave it off? Does it hurt to have it on?

It might hurt, depending on what happens when named tries to contact another server over IPv6. If you don't have IPv6 connectivity, then turn it off in the configure step.