The Internet Systems Consortium has published an advisory and an update for the Bind domain name system software versions 9.7.1 to 9.7.2-P3.
The update fixes a high-risk, remotely exploitable, denial-of-service vulnerability in Bind, distributed by default with most Unix and Linux platforms, said the Internet Systems Consortium (ISC).
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Bind, a widely-used DNS server software, is one of the preferred targets for attackers on the internet, according to the Internet Storm Center of the SANS Institute.
"When a server that is authoritative for a domain processes a successful domain transfer operation (IXFR) or a dynamic update, there is a small window of time where this processing, combined with a high amount of queries, can cause a deadlock which makes the DNS server stop processing further requests," a SANS Institute bulletin said.
According to the bulletin, organisations with Bind installed should upgrade to Bind 9.7.3 and remember the following basic security measures:
-Only allow IXFR transfers from known secondary servers of your domain. You don't want to let people know all the list of public IP addresses associated with your domain
-Keep separated your internal DNS information from your external DNS information. Some DNS provides information about private addresses used inside the corporate network
-Allow recursive requests only from your internal DNS. If you allow recursive requests from the internet, you are exposed to a distributed denial of service