Bugtraq mailing list archives
Re: BIND Nuking
From: robert () cyrus watson org (Robert Watson)
Date: Mon, 28 Jul 1997 14:50:38 -0400
On Mon, 28 Jul 1997, Steinar Haug wrote:
zone "my.net" { type master; file "my.net.zon"; allow-update { 1.2.3.4; 127.0.0.1; }; };Why don't you try it out? The answer: If the update comes from a host not on the access list, it will be rejected, and the attempt will be logged, like this: Jul 28 19:29:41 verdi named[2118]: unapproved update from [195.1.171.130].1594 for netsafe.no Putting 127.0.0.1 in such an access list is probably not a good idea, for what should be obvious reasons.
However, you need to make sure you have a packet filter in place on your router/firewall, or people can spoof update packets. This presents some interesting and wonderful security issues concerning any hosts on the inside of your security perimeter. Until the bug is fixed, update should definitely be disabled from any host.
If the answer is Yes, this could be very dangerous, every BIND 8.1.x compiled with ALLOW_UPDATES will be vulnerable, even if you don't have access to modify zones.The answer is no. Also, by default, no updates are allowed. It's only if "allow-update" *and* a suitable access list is included in the named configuration file that you'll be able to trigger this bug - and then only from the host(s) mentioned in the access list. It's still a bug, and needs to be fixed. But there's no reason to be overly worried - of the sites running bind 8 I'd guess that only a very small fraction have configured named to accept updates.
As concluded above, an adequate ACL may not be adequate without a good packet filter and security policy. :) Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Security Research, Trusted Information Systems http://www.tis.com/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert () fledge watson org rwatson () tis com http://www.watson.org/~robert/
Current thread:
- Re: BIND Nuking Daniele Orlandi (Jul 25)
- <Possible follow-ups>
- Re: BIND Nuking Alan Brown (Jul 26)
- Re: BIND Nuking Steinar Haug (Jul 28)
- Re: BIND Nuking Robert Watson (Jul 28)