Cache poisoning flaw is death knell for BIND 8

Cache poisoning flaw is death knell for BIND 8

Summary: The Internet Software Consortium has pulled the plug on support for BIND 8 after the discovery of a serious vulnerability that could lead to cache poisoning attacks.

SHARE:
TOPICS: Security
4

The Internet Software Consortium has pulled the plug on support for Version 8 of the BIND (Berkeley Internet Name Domain) DNS implementation after the discovery of a serious vulnerability that could lead to cache poisoning attacks.

The flaw, publicly discussed in a paper by Trustee's Amit Klein, could allow a remote attacker with the ability to predict DNS query IDs and respond with arbitrary answers to poison DNS caches.

The ISC has responded with an interim patch for BIND 8 but, in a blunt advisory, the non-profit group says the older version of the DNS server is being put out to pasture.

"BIND 8 remains a relic of software architecture and coding practice from a different time," the group said in an alert. "As such, it is not secure in today's Internet. After years of patching and workarounds, we know it will never be."

"We've already said that BIND 8 will never support DNSSEC and related new security features. But what is more important to consider is this: An administrator who simply stands still and never upgrades will eventually put systems at risk. New problems continue to be discovered at the limits of possibility for fixing them," it added.

The ISC's recommend is for user to immediately migrate to BIND 9:

There has never been a root-level exploit against BIND 9. BIND 9 was intrinsically designed to resist cache poisoining attacks; BIND 8, due to architectural decisions made when it was designed and released in the mid-1990s", is not as resistant. Attackers are constantly evolving their tactics to exploit caching and other performance features that modern nameservers require. BIND 9's architecture allows far better resistance to known attacks and modification to meet new ones than BIND 8's does.

Recent discoveries of inherent weaknesses in BIND 8's cache handling in forwarders and random number generation in query IDs cannot be patched reliably or configured around. The workarounds available are "turn off DNS service" or "upgrade to BIND 9". We're choosing to admit this to our users and support migration to BIND 9.

Even so, as discussed in Klein's paper, BIND 9 is not entirely safe from similar (theoretical) attacks against its algorithm.

"While not a feasible attack as-is, the existence of such attack and the potential for it to be later improved with further research makes BIND 9 insecure as well," Klein warned.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • One more reason not to use Linux

    Just ignore the fact that this has nothing to do with Linux and that Bind 9 has been available since Sept 2000.
    swoopee
    • You make no sense.

      "Dont use linux.. wait.. ignore the fact it has nothing to do with linux" WTF, the only thing you said that makes sense is the second part about it being available for 7 years.

      Most likely everyone has a new server by now and had loaded the new version via the distro. Course if you build your own, you may be less likely to do so.
      Been_Done_Before
  • Sorry

    That was an attempt at humor.
    swoopee
    • And that was an attempt to reply to Been_Done_Before. [NT]

      .
      swoopee