Stuck in a BIND

By Deborah Radcliff, Computerworld |  Networking

Unless you've been living under a rock, you already know about the latest buffer-overflow vulnerability in the Berkeley Internet Name Domain (BIND) software, a domain name server (DNS) utility that matches Web server names to Internet Protocol addresses so people can find companies on the Web. By all accounts, BIND is the glue that holds the entire addressing scheme together, making up at least 80% of the Internet naming system.

Rightly, the CERT Coordination Center made a big deal when it announced two weeks ago that BIND Versions 4 and 8 are vulnerable to root-level compromise, traffic rerouting and all other sorts of nasty possibilities.

The following are some other disturbing facts about BIND:

  • BIND is controlled by the Internet Software Consortium (ISC), a nonprofit vendor group in Redwood City, Calif. Heavyweights like Sun, IBM, Hewlett-Packard, Network Associates and Compaq support it.
  • By virtue of the ubiquity of BIND, the ISC wields a lot of power.
  • Just before this latest vulnerability went public, the ISC announced preliminary plans to charge for critical BIND security documentation and alerts through subscription fees starting with resellers. This set off an outcry in the nonvendor IT community.
  • BIND has had 12 security patches in recent years.
  • This latest vulnerability is a buffer overflow, a notorious coding problem that's been well documented for a decade. Through code that's vulnerable to buffer overflow, attackers can gain root simply by confusing the program with illegal input.
  • Ironically, the buffer overflow popped up in BIND code written to support a new security feature: transactional signatures.

The ISC is now asking IT managers to trust it once again and upgrade to Version 9 of BIND, which doesn't have this buffer-overflow problem, according to CERT.

IT pros aren't buying it.

Hardening Your DNS

1. Run BIND in a nonroot environment.

2. Set up a split-brain DNS configuration.

3. Tighten your BIND 8 configuration using built-in security options.

4. Consider running a nonrecursive name server.

5. Configure your operating system to mark the stack nonexecutable.

"BIND is a big, unwieldy piece of software that's been completely rewritten, but it can still have buffer overflows anywhere in the code," says Ian Poynter, president of Jerboa Inc., a security consulting firm in Cambridge, Mass. "BIND is the biggest point of failure on the entire infrastructure of the Internet."

DNS administrators should indeed upgrade, per CERT's recommendation. But there are other things they can do to cut the umbilical cord from the ISC.

Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question