New DNS bug and fix announced
Domain name registries are scrambling to patch a newly discovered bug in popular open source DNS software that could be exploited for denial-of-service attacks.
The bug and a corresponding fix were announced Monday by NLnet Labs, a research group that provides authoritative domain name server software called NSD to domain name registrars.
The bug allows for an attack on an NSD server that would cause it to stop responding to queries. The bug affects all versions of NSD 2.0.0 to 3.2.1, NLnet Labs said calling the bugfix "critical."
The bug is a "one-byte buffer overflow that allows a carefully crafted exploit to take down your name server," NLnet Labs said.
The NSD bug is not the result of a problem with the DNS protocol, nor does it have implications for the rollout of DNS security software known as DNSSEC. That's why it's a minor incident compared to the Kaminsky bug discovered last summer.
"This bug is serious in so much that it allows an attacker to [make] name servers stop working, but the patch is readily available," says Dave Knight, Director of Resolution Services at Afilias, which operates the .info and .org domains. "We don't think there have been any attacks in the wild."
Knight said that now the bug is public knowledge, hackers can reverse engineer it to build an exploit.
"Patching should be a priority for everyone running NSD," Knight said.
Afilias runs several authoritative software packages, including NSD and BIND. Knight said Afilias was patching its NSD servers, which will be fixed by the end of the week.
"We also run BIND and other DNS software, so we are not necessarily vulnerable to an attack or threat on any one platform," said John Kane, vice president of Afilias. "Some registries only have one platform, which makes them more vulnerable and requires them to do an emergency patch. In our case, we can flip and run only BIND if we need to for awhile, and then we have the luxury of deploying the bug fix on NSD after it's been tested and passed Q/A."
Network World
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
security
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
