New DNS bug and fix announced
Domain name registries are scrambling to patch a newly discovered bug in popular open source DNS software that could be exploited for denial-of-service attacks.
The bug and a corresponding fix were announced Monday by NLnet Labs, a research group that provides authoritative domain name server software called NSD to domain name registrars.
The bug allows for an attack on an NSD server that would cause it to stop responding to queries. The bug affects all versions of NSD 2.0.0 to 3.2.1, NLnet Labs said calling the bugfix "critical."
The bug is a "one-byte buffer overflow that allows a carefully crafted exploit to take down your name server," NLnet Labs said.
The NSD bug is not the result of a problem with the DNS protocol, nor does it have implications for the rollout of DNS security software known as DNSSEC. That's why it's a minor incident compared to the Kaminsky bug discovered last summer.
"This bug is serious in so much that it allows an attacker to [make] name servers stop working, but the patch is readily available," says Dave Knight, Director of Resolution Services at Afilias, which operates the .info and .org domains. "We don't think there have been any attacks in the wild."
Knight said that now the bug is public knowledge, hackers can reverse engineer it to build an exploit.
"Patching should be a priority for everyone running NSD," Knight said.
Afilias runs several authoritative software packages, including NSD and BIND. Knight said Afilias was patching its NSD servers, which will be fixed by the end of the week.
"We also run BIND and other DNS software, so we are not necessarily vulnerable to an attack or threat on any one platform," said John Kane, vice president of Afilias. "Some registries only have one platform, which makes them more vulnerable and requires them to do an emergency patch. In our case, we can flip and run only BIND if we need to for awhile, and then we have the luxury of deploying the bug fix on NSD after it's been tested and passed Q/A."
Network World
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
security
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
