UPDATE (8/7/08):
The patch posted below actually does NOT fix the cache poisoning problem, please check out my follow up post instead. The original is included below but please note that it does not fix the security problem.
original blog post:
Most of you have heard about the DNS cache poisoning exploit, it is serious, most operating systems have security updates to get the latest bind9/named package and if you update you’re ok. However, Debian terminated security supports for Sarge/3.1 on March 1st. So if you’re like me still running sarge and don’t have the time to upgrade to etch or something newer, you’re kindda in a bad situation if you need to run a DNS. Luckily, Debian makes it really easy to compile and install custom packages, so here is how you can patch it up manually.
Check what you have installed, yup, it’s vulnerable:
$ dpkg -l | grep bind9 ii bind9 9.2.4-1sarge3 Internet Domain Name Server ii bind9-host 9.2.4-1sarge3 Version of 'host' bundled with BIND 9.X |
Install the source package for BIND9.
$ cd /usr/src && sudo apt-get source bind9 Reading Package Lists... Done Building Dependency Tree... Done Need to get 4667kB of source archives. Get:1 http://ftp.us.debian.org sarge/main bind9 1:9.2.4-1sarge3 (dsc) [741B] Get:2 http://ftp.us.debian.org sarge/main bind9 1:9.2.4-1sarge3 (tar) [4564kB] Get:3 http://ftp.us.debian.org sarge/main bind9 1:9.2.4-1sarge3 (diff) [102kB] Fetched 4667kB in 8s (534kB/s) dpkg-source: extracting bind9 in bind9-9.2.4 |
Go patch it up:
$ cd bind9-9.2.4/ |
Apply this patch, either with patch(1) or manually, I did it manually just to be safe:
Index: inet_network.c diff -u inet_network.c:1.5 inet_network.c:1.6 --- inet_network.c:1.5 Wed Apr 27 04:56:21 2005 +++ inet_network.c Tue Jan 15 04:02:01 2008 @@ -84,9 +84,9 @@ } if (!digit) return (INADDR_NONE); + if (pp >= parts + 4 || val > 0xffU) + return (INADDR_NONE); if (*cp == '.') { - if (pp >= parts + 4 || val > 0xffU) - return (INADDR_NONE); *pp++ = val, cp++; goto again; } |
$ sudo vi lib/bind/inet/inet_network.c |
build the package, this will generate a .deb:
$ cd .. && sudo apt-get -b source bind9 |
install the package:
$ sudo dpkg -i bind9_9.2.4-1sarge3_i386.deb |
Hi, thanks for your HowTo, but where is the Patch for bind9_9.2.4-lsarge3 exactly? I could not find it follwing your link. Or could you publish the updated bind9 Package for downloading?
Bye and Thx
Togeis
The patch was included in my post. You can find it at bind9’s site if you look harder. I don’t have the .deb with me now but I can compile it again and post the link to it later. Thanks.
Hello.
I’m in the same situation: I have a higly customized Sarge personal server, and little time to upgrade right now.
Please, could you confirm your patched bind is truely safe from cache poisoning? Accordind to this web page ( http://www.howtoforge.com/how-to-patch-bind-to-avoid-cache-poisoning-debian-etch ) it can be tested with this command:
dig +short @ns1.example.com porttest.dns-oarc.net TXT
(where you should substitute “ns1.example.com” with your DNS server FQDN).
I am asking because, according to this page ( http://www.isc.org/index.pl?/sw/bind/bind-security.php ), the vulnerability your patch is fixing is NOT the cache poisoning one, but a buffer overflow condition (a bug in its own, but not the one responsible for the cache poisoning…).
Please, let me know what you find out.
Thanks.
Specifically, open the lib/bind/inet/inet_network.c file under the source tree in your favorite editor, go down to line 84 to see where the code above starts, then in the correct places add the two lines that are marked with a green +, and remove the two lines marked with a green -.
This fixes the transaction ID randomization, but the tool at http://entropy.dns-oarc.net/test/ stills shows that the source port randomness is poor. Do you know what the patch is for that part?
Thanks,
Jeff
+1. Who more? 🙂
The posted patch does NOTHING. The replacement code is IDENTICAL to the code you are proposing to replace. This patch does nothing to fix the problem. Did you verify that this is the correct patch?
Thanks for all the comments, I might not have the right patch, I found that patch while I was digging around for it at bind9’s site but maybe it’s not the right one, will look into it now.
Just posted an update on this, thanks!
Ahaan… I will follow.