The blogosphere is great, I wrote up on how I patched up my bind9 and quite a few people contacted me or posted comments informing me that it was the wrong patch. I looked into it more today and finally got a real fix for it.

I could not find a patch to fix the DNS cache poisoning problem for bind-9.2.4, it is probably no longer maintained. So I had to compile it from scratch, for the impatient I have hosted the .deb here.

First remove old bind9 package and download bind-9.5.0-P1.tar.gz from http://www.isc.org/index.pl?/sw/bind/view/?release=9.5.0-P2 and unpack:

$ mkdir /tmp/bind && cd !$ && tar -zxf bind-9.5.0-P1.tar.gz && cd bind-9.5.0-P1/

you might need one or all of these packages, if you’ve never build a .deb before you probably at least need dh-make

$ sudo apt-get install autotools-dev fakeroot dh-make

run dh_make and build:

$ dh_make

tweak configurations in the debian directory, I added –disable-openssl-version-check and –sysconfdir=/etc/bind to the configure options

$ sudo dpkg-buildpackage -rfakeroot

Now you should have a .deb in /tmp/bind, install it as usual

$ cd .. && sudo dpkg -i bind_9.5.0-P2-1_i386.deb

I think I didn’t configure the deb build options correctly so I didn’t get a /etc/init.d/bind9, if you’re missing that after the install, you can grab mine here. Also, when you removed bind9.2.4 it might’ve removed /var/cache/bin, if so, you need to create that directory, or whatever you specified as the directory in /etc/bind/named.conf.

If you have problems getting named to run, look for a named.run file, it should have the error message on why it exited execution. Finally, you should verify it by running something like this:

$ dig +short @localhost porttest.dns-oarc.net txt
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"x.x.x.x is GREAT: 26 queries in 1.6 seconds from 26 ports with std dev 19585"

If you see GREAT, it’s working, if you see POOR, then you’re still running an outdated version of named/bind9.