ISC releases security fix for Bind DoS vulnerability


ISC releases security fix for Bind DoS vulnerability

Warwick Ashford

The Internet Systems Consortium has published an advisory and an update for the Bind domain name system software versions 9.7.1 to 9.7.2-P3.

The update fixes a high-risk, remotely exploitable, denial-of-service vulnerability in Bind, distributed by default with most Unix and Linux platforms, said the Internet Systems Consortium (ISC).

Bind, a widely-used DNS server software, is one of the preferred targets for attackers on the internet, according to the Internet Storm Center of the SANS Institute.

"When a server that is authoritative for a domain processes a successful domain transfer operation (IXFR) or a dynamic update, there is a small window of time where this processing, combined with a high amount of queries, can cause a deadlock which makes the DNS server stop processing further requests," a SANS Institute bulletin said.

According to the bulletin, organisations with Bind installed should upgrade to Bind 9.7.3 and remember the following basic security measures:

-Only allow IXFR transfers from known secondary servers of your domain. You don't want to let people know all the list of public IP addresses associated with your domain

-Keep separated your internal DNS information from your external DNS information. Some DNS provides information about private addresses used inside the corporate network

-Allow recursive requests only from your internal DNS. If you allow recursive requests from the internet, you are exposed to a distributed denial of service

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy