Developers have published a fix to tackle a high-risk flaw in BIND, the widely used Domain Name Services (DNS) software. The flaw creates a potential mechanism for miscreants to crash systems running vulnerable version of the name-to-IP-address translation software.

Left unaddressed, the vulnerability can provide a means to cause BIND servers to deadlock and stop processing requests. Authoritative name servers can be pushed into a deadlock condition when processing incremental zone transfer (IXFR) updates. These updates deal with recent changes in DNS records, with unchanged records omitted to save bandwidth and processing power.

"This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition."

Attacks on the authoritative name servers that underpin the net's "yellow page" system have the potential to severely disrupt internet surfing, even though those users could still reach websites by using the IP address instead of name of the site they wanted to reach.

The flaw – discovered by net software firm Neustar – affects BIND version 9.7.1 and 9.7.2. Neither earlier versions of BIND nor BIND 9.8 are vulnerable.

No exploits against the vulnerability exist, but sysadmins are still being urged to update to BIND version 9.7.3, which addresses the flaw. ®

Related stories

• Experts argue over whether shallow DNS gene pool hurts web infrastructure (16 August 2012)
• Updated BIND security update protects against serious server crash (16 November 2011)
• Finance software bug causes $217m in investor losses (22 September 2011)
• Bind DNS resolver purged of critical DoS bug (27 May 2011)
• Bug puts net's most popular DNS app in Bind (24 November 2009)
• BIND crash bug prompts urgent update call (29 July 2009)
• Caching bugs exposed in second biggest DNS server (28 February 2009)
• One in ten DNS servers still vulnerable to poisoning (10 November 2008)
• Updated World's biggest ISPs drag feet on critical DNS patch (25 July 2008)