[ISN] Thoughts About "Protection Against BIND"

InfoSec News isn at c4i.org
Fri Oct 15 06:29:37 EDT 2004


http://www.circleid.com/article/774_0_1_0_C/

By Paul Vixie
Oct 11, 2004 

Imagine my surprise upon reading a BBC article which identified ISC 
BIND as the top security vulnerability to UNIX systems. At ISC, we 
have striven for a decade to repair BIND's reputation, and by all 
accounts we have made great progress. "What could this be about," I 
wondered, as I scanned the BBC article for more details.

It turns out that BBC was merely parroting what it had been told by 
SANS.

OK, let's see what SANS has to say:

 Top Vulnerabilities to UNIX Systems (U)

 U1. BIND Domain Name System

Ouch! So at this point I'm asking, "OK, what have we done wrong this 
time?"

 U1.1 Description

 The Berkeley Internet Name Domain (BIND) package has become the 
 worlds most widely used implementation of the Domain Name Service (DNS). 
 DNS is a critical system that facilitates the conversion of hostnames 
 (e.g. www.sans.org) into the corresponding registered IP address.

Yeah, yeah, so far, so good. What's the problem, though?

 Due to the ubiquity and critical nature of BIND, it has been made the 
 target of frequent attack.

Ubiquity isn't a vulnerability, though... So, I kept reading:

 Denial of Service (DoS) attacks, which generally result in a complete 
 loss of naming services to Internet sites, have long plagued BIND.

Um. Actually, DDoS attacks do not plague BIND. In fact, DDoS attacks 
have nothing to do with BIND per se -- a DDoS is an attack on a 
network, and will affect all services offered by that network, 
including web services like those offered by Amazon and Ebay. So, what 
can they mean? Are they among the many people who are confused about 
the difference between BIND (which is software) and DNS (which is a 
protocol and a service)? In other words, do they really mean that DDoS 
attacks have long plagued DNS?

If so, then the mystery actually just deepens. UltraDNS and Akamai 
both offer DNS services and both of them wrote their own software (so, 
they are not running BIND), yet both of them have been the victim of 
high profile DDoS attacks which affected very visible customers 
including Google. Why would SANS single out BIND as a DDoS target, 
when DDoS attacks are not against software, and recent DDoS attacks 
against DNS have not involved BIND?

So, still mystified, I kept reading:

 Various other attacks such as buffer overflows and cache poisoning 
 have been discovered within BIND.

Well, OK, they've got that part right at least. The BIND software that 
was part of BSD was terrible. And after wrestling with it for a 
decade, ISC decided to rewrite it from scratch. The result, BIND9, is 
pretty solid.

 Although the BIND development team has historically been quick to 
 respond to and/or repair vulnerabilities, an excessive number of 
 outdated, mis-configured and/or vulnerable servers still remain in 
 production.


By the above-quoted text, this whole article is due to older versions 
of BIND and mis-configured servers running BIND, yet the title of the 
article was simply "BIND Domain Name System". This seems somewhat 
disingenuous.

But I kept reading.

 A number of factors contribute to this condition. Chief among them 
 are administrators who are not aware of security upgrades, systems which 
 are running BIND daemon (called "named") unnecessarily, and bad 
 configuration files. Any of these can affect a denial of service, a 
 buffer overflow or DNS cache poisoning.

Yes, that's all true. I heard someone from Microsoft say that if they 
could just get people to upgrade from Win/95 and apply published 
patches, the whole Internet would be safer. And that's also true. I 
don't quite understand SANS's reason for mentioning it, though. 
"Unpatched Or Misconfigured Software Is Unsafe" is not exactly 
headline news. But if they like that one, how does "Either A Democrat 
Or A Republican Will Be Next U.S. President" sound? It's disturbing, 
it's true, and everybody already knows it, so, "so what?"

But you've got to understand something -- I know some people who work 
at SANS and those people -- the ones I know -- are not idiots. So, I 
kept reading:

 Among the most recently discovered BIND weaknesses was a denial of 
 service discussed in CERT Advisory CA-2002-15. In this case, an 
 attacker could send specific DNS packets to force an internal 
 consistency check which itself is vulnerable, causing the BIND daemon 
 to shut down. Another was a buffer overflow attack, discussed in CERT 
 Advisory CA-2002-19, in which an attacker could utilize vulnerable 
 implementations of the DNS resolver libraries. By sending malicious 
 DNS responses, the attacker could exploit this vulnerability and 
 execute arbitrary code or even cause a denial of service.

I love this! Thank you, SANS, for helping to get the word out. We've 
been telling our vendors and our user community to stop running or 
shipping BIND versions containing these vulnerabilities for years now. 
Several years, in fact. Ever since we cooperated in disclosing and 
repairing those problems. But it's 2004, and those two vulnerabilities 
were published in 2002, so why would it make any sense to announce 
them in 2004? Are they still newsworthy?

 A further risk is posed by a vulnerable BIND server, which may be 
 compromised and used as a repository for illicit material without the 
 administrator's knowledge, or in stepping-stone attacks which use the 
 server as a platform for further malicious activity.

I hate this! Damn you, SANS, for making me remember the fictional 
State Science Institute and its condemnation-without-facts of Reardon 
Metal. For the record, there has never been an exploit of the kind 
you're describing in any version of BIND9, and there is no known 
exploit of this kind in the latest version of BIND8, or even the 
latest BIND4.

OK, so by this point in reading SANS's article, I'm angry, and I'm 
starting to think of the article as a "hit piece". But I kept reading:

 U1.2 Operating Systems Affected

 Just about every UNIX and Linux system is distributed with some 
 version of BIND. The installation of BIND can be intentional for 
 server purposes or unintentional in a general installation. A binary 
 version of BIND is also available for the Windows platform.

It is widely considered to be good practice to run a non-authoritative 
BIND server on every host, for the purpose of caching-for-reuse all 
data fetched from the global DNS. And for the record, full buildable 
open source code is available for BIND on Windows -- not just 
binaries.

"What can they be thinking?" is what I was thinking at this point. 
Onward:

 U1.4 How to Determine if you are Vulnerable

 Any DNS server running a version of BIND that was bundled with the 
 operating system, should be compared against the current patches 
 released by the appropriate vendor. If a running version of BIND is 
 compiled from source from the Internet Software Consortium (ISC), it 
 should be checked to ensure it is the latest version. Outdated and/or 
 un-patched versions of BIND are most likely vulnerable.

All true, every word of it.

 On most system implementations, the command "named -v" will show the 
 installed BIND version enumerated as X.Y.Z where X is the major 
 version, Y is the minor version, and Z is a patch level. Currently 
 the three major versions for BIND are 4, 8 and 9. If on is running a BIND 
 server built from source, one should avoid using version 4, opting 
 instead for version 9. You can retrieve the latest source, version 
 9.3.0rc2, from the ISC.

Actually, the latest version is 9.3.0 (it's not just a release 
candidate any more). But it's sure nice to hear them calling us ISC. 
Just "ISC", though, please, and never "the ISC". (A lawyer told me to 
say that.)

 A proactive approach to maintaining the security of BIND is to 
 subscribe to customized alerting and vulnerability reports, such as 
 those available from SANS or by keeping up with advisories posted at 
 OSVDB. In addition to security alerts, an updated vulnerability 
 scanner can be highly effective in diagnosing any potential 
 vulnerabilities within DNS systems.

Or, interested parties could join ISC's BIND Forum, with or without 
the Advanced Security Notification option. You'll not only get the 
straight scoop on upcoming releases, you can help set our priorities, 
and help pay the production cost of BIND. We (ISC) are a nonprofit 
corporation, and BIND is completely free software -- more free even 
than FSF/GNU/Linux, since it can be bundled or repackaged or otherwise 
redistributed with or without source code, and with no license or 
royalty payments of any kind.

Or, interested parties could engage ISC in a support contract for 
BIND, which would include several of the above-described benefits of 
the our BIND Forum, but would also get you high-quality phone/e-mail 
support.

(I'm not just setting the record straight -- a lot of folks just don't 
know about ISC's BIND Forum and BIND Support offerings.)

Onward:

 U1.5 How to Protect Against It

OK, wait just a minute. They've got a section entitled "How to 
Determine if you are Vulnerable" and now one entitled "How to Protect 
Against It" and the "it" in question is (from the title of this 
article) "BIND Domain Name System". Do folks really need to determine 
if they are vulnerable to BIND? And, for that matter, do folks really 
need to be protected against BIND?

But I digress. Fortunately we're almost at the end of this thing. 
Onward:

 To generally protect against BIND vulnerabilities: 

 Disable the BIND daemon (called "named") on any system which is not 
 specifically designated and authorized to be a DNS server.

This would be a mistake. If your local DNS policy makes every
workstation and every server into its own "caching recursive
forwarding name server" then you are helping yourself and helping the
Internet and you shouldn't stop just because SANS tells you to. But
one of the other things they recommend is a great idea:

 Apply all vendor patches or upgrade DNS servers to the latest 
 version. For more information about hardening a BIND installation, 
 see the articles about securing name services as referenced in CERT's 
 UNIX Security Checklist.

For patches and checklists, you can also just visit ISC's BIND Home 
Page at <http://www.isc.org/sw/bind>. ISC publishes links to useful 
things about BIND configuration, even if they originate elsewhere.

 To complicate automated attacks or scans of a system, hide the 
 "Version String" banner in BIND by replacing the actual version of 
 BIND with a bogus version number in the "named.conf" file options 
 statement.

This is just foolishness. Any attacker whose age is requires more than 
one digit to describe will just "fingerprint" your system, including 
your kernel and all of your services including DNS. They don't need to 
know what version string you report, and they wouldn't believe it, and 
they've stopped asking.

And SANS ought to *know* that; moreover, they ought to be telling 
*you* that.

 Permit zone transfers only to secondary DNS servers in trusted 
 domains.

I'm not sure what this means but I think I don't like the sound of it. 
You should not do anything special about parent or child domains -- 
just create them, properly delegate them, and let DNS figure out where 
they are and how to reach them.

 Jail: To prevent a compromised BIND service from exposing ones entire 
 system, restrict BIND so that it runs as a non-privileged user in a 
 chroot()ed directory. For BIND 9, see: 
 http://www.losurs.org/docs/howto/Chroot-BIND.html

This is a great idea, which is why we have it as a standard BIND9 
feature, and why we describe it in the standard BIND documentation.

 Disable recursion and glue fetching to defend against DNS cache 
 poisoning

I think that what they mean is "don't run authority service and 
recursive service in the same name server", and this is good advice. 
It's so good in fact that we wrote about it in , specifically 
ISC-TN-2002-2. Yup, two years ago. I guess it isn't news?

 To protect against recently discovered BIND vulnerabilities: 

 For the Denial of Service Vulnerability on ISC BIND 9:
 http//www.cert.org/advisories/CA-2002-15.html

I'm sorry, I know this sounds catty, but... 2002 is "recent"?

 Multiple Denial of Service vulnerabilities on ISC BIND 8:
 http://www.isc.org/products/BIND/bind-security.html

Better still, just don't run BIND8 now that BIND9 is solid. But the 
URL they give makes good reading, even if I do say so myself.

 Cache poisoning via negative responses:
 http://www.kb.cert.org/vuls/id/734644

OK, to give SANS credit, they found something that's less than two 
years old. However, it's in BIND8. Oops. You should all upgrade to 
BIND9 now. Even FreeBSD now ships BIND9 as their default name server. 
BIND8 is dead! Long live the king!

 There exist many excellent guides to hardening BIND. One excellent 
 guide on hardening BIND on Solaris systems, as well as additional 
 references for BIND documentation, can be viewed at Running the BIND9 
 DNS Server Securely and the archives of BIND security papers 
 available from Afentis. You can also view documentation covering 
 general BIND security practices.

Those are good articles. But Jacco's site at <http://www.bind9.net/> 
is also very good, and includes all kinds of useful links. Education 
is good.

 Administrators can also look at alternatives to BIND such as DJBDNS 
 located at http://cr.yp.to/djbdns.html.

OK, so some of you were wondering why I bothered to respond to this 
obvious "hit piece" written by someone without much background in the 
field -- maybe the same yet-to-be-fired marketing wizard who came up 
with the name "Internet Storm Center" when the term ISC had another, 
much stronger, much older, meaning. I was going to Just Hit Delete -- 
something you should never do with spam, by the way! Until I saw the 
DJBDNS reference. Mr. Bernstein has what could politely be called a 
grudge against... well, almost everybody. His software seems to work, 
and it has a loyal and committed user base. But if you're going to 
look at alternatives to BIND, you need more options, and you need a 
better reason.

For more options, check out Nominum's ANS and CNS products, and 
NLNetLabs' "NSD", and Cisco's DNS/DHCP Manager, and Microsoft's 
Advanced Server product. (I'm sorry if I'm leaving somebody out, 
that's off the top of my head.)

For a better reason, discard "I don't want to have to learn about 
patches and apply them every year or two" since no vendor will ever be 
able to guaranty this. If you want help staying patched, talk to ISC 
about BIND support, or talk to your operating system vendor, or talk 
to your ISP. Help is out there.

My faith in and charity toward SANS has taken a sharp step downward 
today.

Paul Vixie
Maintainer/author, BIND4.9 - BIND8.1
Co-founder and President, ISC





More information about the ISN mailing list