While your DNS servers are still running, it's time to patch BIND
Posted: Thu Feb 13, 2025 8:11 am
Domain Name System (DNS) security flaws have recently been the cause of major DDoS attacks. Last fall, a DNS outage hit Azure users. More recently, a massive DDoS attack on DNS provider Dyn took down tens of thousands of websites. So when the Internet Systems Consortium (ISC) releases patches for three major security flaws in the BIND DNS server, you should install them. Now.
BIND is the most popular DNS server on the Internet. Like armenia whatsapp data DNS servers, it translates human-readable domain names into IP addresses. It is used in almost all Linux and Unix-based servers. In fact, if you have DNS running, especially on Linux, you have BIND running.
Until you patch your BIND, there are three security holes, one of which can be exploited for DDoS attacks. These are CVE-2016-9131 (malformed response for ANY query can cause assertion failure during recursion), CVE-2016-9147 (error in handling response for query with invalid DNSSEC information can cause assertion failure), and CVE-2016-9444 (unusually formed DS resource record can cause assertion failure).
The only good news is that the DNS servers most vulnerable in this sense are those operating in recursive mode. In this mode, the BIND server, having failed to find an answer in its local cache, tries to resolve the address by querying higher-level authoritative DNS servers. Authoritative DNS servers are comparatively less susceptible to attacks that exploit these security holes.
Fortunately, most Linux distributions have already released patches for this trio of issues. I highly recommend that system administrators patch this significant BIND security issue as soon as possible.
Would you really want to justify yourself to your boss because your network suddenly stopped working? I don't think so.
BIND is the most popular DNS server on the Internet. Like armenia whatsapp data DNS servers, it translates human-readable domain names into IP addresses. It is used in almost all Linux and Unix-based servers. In fact, if you have DNS running, especially on Linux, you have BIND running.
Until you patch your BIND, there are three security holes, one of which can be exploited for DDoS attacks. These are CVE-2016-9131 (malformed response for ANY query can cause assertion failure during recursion), CVE-2016-9147 (error in handling response for query with invalid DNSSEC information can cause assertion failure), and CVE-2016-9444 (unusually formed DS resource record can cause assertion failure).
The only good news is that the DNS servers most vulnerable in this sense are those operating in recursive mode. In this mode, the BIND server, having failed to find an answer in its local cache, tries to resolve the address by querying higher-level authoritative DNS servers. Authoritative DNS servers are comparatively less susceptible to attacks that exploit these security holes.
Fortunately, most Linux distributions have already released patches for this trio of issues. I highly recommend that system administrators patch this significant BIND security issue as soon as possible.
Would you really want to justify yourself to your boss because your network suddenly stopped working? I don't think so.