Severe bug deadlocks BIND
DNS lookup system peril
Developers have published a fix to tackle a high-risk flaw in BIND, the widely used Domain Name Services (DNS) software. The flaw creates a potential mechanism for miscreants to crash systems running vulnerable version of the name-to-IP-address translation software.
Left unaddressed, the vulnerability can provide a means to cause BIND servers to deadlock and stop processing requests. Authoritative name servers can be pushed into a deadlock condition when processing incremental zone transfer (IXFR) updates. These updates deal with recent changes in DNS records, with unchanged records omitted to save bandwidth and processing power.
An advisory by the Internet Systems Consortium (ISC) explains: "When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur.
"This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition."
Attacks on the authoritative name servers that underpin the net's "yellow page" system have the potential to severely disrupt internet surfing, even though those users could still reach websites by using the IP address instead of name of the site they wanted to reach.
The flaw – discovered by net software firm Neustar – affects BIND version 9.7.1 and 9.7.2. Neither earlier versions of BIND nor BIND 9.8 are vulnerable.
No exploits against the vulnerability exist, but sysadmins are still being urged to update to BIND version 9.7.3, which addresses the flaw. ®