[5032] in bugtraq
Re: BIND Nuking
daemon@ATHENA.MIT.EDU (Steinar Haug)
Mon Jul 28 14:13:48 1997
Date: Mon, 28 Jul 1997 19:37:33 +0200
Reply-To: sthaug@NETHELP.NO
From: Steinar Haug <sthaug@NETHELP.NO>
X-To: daniele@ORLANDI.COM
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Fri, 25 Jul 1997 21:40:44 +0200"
> I configured bind to accept updates only from a single host.
> What will happen if the attack comes from another host ?
> Will it reject the update attemp as usual or crash anyway ?
>
> In other words, will my host be vulnerable to external attacks if
> configured in such way ?
>
> zone "my.net"
> {
> type master;
> file "my.net.zon";
> allow-update { 1.2.3.4; 127.0.0.1; };
> };
Why don't you try it out?
The answer: If the update comes from a host not on the access list, it
will be rejected, and the attempt will be logged, like this:
Jul 28 19:29:41 verdi named[2118]: unapproved update from [195.1.171.130].1594 for netsafe.no
Putting 127.0.0.1 in such an access list is probably not a good idea,
for what should be obvious reasons.
> If the answer is Yes, this could be very dangerous, every BIND 8.1.x
> compiled with ALLOW_UPDATES will be vulnerable, even if you don't have
> access to modify zones.
The answer is no. Also, by default, no updates are allowed. It's only
if "allow-update" *and* a suitable access list is included in the named
configuration file that you'll be able to trigger this bug - and then
only from the host(s) mentioned in the access list.
It's still a bug, and needs to be fixed. But there's no reason to be
overly worried - of the sites running bind 8 I'd guess that only a very
small fraction have configured named to accept updates.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
