Bind DNS Server major flaw could let a script kiddie bring down large number of DNS servers
-
BIND is most widely used DNS Server to date.
-
A major flaw was found in BIND’s versions from 9.1.0 to 9.8.x, 9.9.0 to 9.9.7-P1, and 9.10.0 to 9.10.2-P2. (CVE-2015-5477)
-
Attackers can exploit it by sending vulnerable servers a malformed packet that’s quite easy to create. Vulnerable servers, in turn, will promptly crash.- This happens because of an error in the way BIND handles TKEY queries, which with a single UDP packet can trigger a required assertion failure, causing the DNS daemon to exit.
-
TKEY queries are used in the context of TSIG, a protocol DNS servers can use to authenticate to each other.
-
Patches for this vulnerability have been released and can be simply installed by running “yum update” or “apt-get update” on *nix systems.
-
If you run your own DNS server, a quick way to see if you are being targeted is to look for the “ANY TKEY” in your DNS logs. An example is shown below:- Aug 2 10:32:48 dns named[2717]: client a.b.c.d#42212 (foo.bar): view north_america: query: foo.bar ANY TKEY + (x.y.z.zz)