Domain Name System (DNS) security troubles have recently been causing major Distributed Denial of Service (DDoS) attacks. Last fall, Azure was kicked in the teeth by a DNS outage. Later in 2016, the largest DDoS attack ever on Dyn knocked tens-of-thousands of websites off the net. So, when the Internet Systems Consortium (ISC) releases patches for three major BIND DNS security problems, you need to patch it. Now.
BIND is the most popular internet DNS server. Like all DNS servers, it translates human-readable domain names, such as www.zdnet.com, into IP addresses. It’s also used in almost all Linux and Unix-based servers. In short, if you’re running DNS, especially on Linux, you’re running BIND.
Until you patch it, you’re also running BIND with three security holes — any one of which can be used to create DDOSs. These are CVE-2016-9131 (a malformed response to an ANY query can cause an assertion failure during recursion), CVE-2016-9147 (an error handling a query response containing inconsistent DNSSEC information could cause an assertion failure), and CVE-2016-9444 (an unusually formed DS record response could cause an assertion failure).
The only good news about these is that DNS servers running in recursive mode are the most vulnerable. In recursive mode, the BIND server tries to work out the address by querying upstream authoritative DNS servers when it can’t find an answer in its local cache. Authoritative DNS servers are, comparatively speaking, more immune to attacks from these security holes.
Fortunately, most Linux distributions have already released patches for this trio of trouble. I highly recommend that system administrators patch this “important” BIND security problem as soon as possible.
After all, do you really want to explain to your boss why your network just went haywire? I didn’t think so.