Tag Archives: security

How to patch up Debian sarge bind9 TAKE TWO!

The blogosphere is great, I wrote up on how I patched up my bind9 and quite a few people contacted me or posted comments informing me that it was the wrong patch. I looked into it more today and finally got a real fix for it.

I could not find a patch to fix the DNS cache poisoning problem for bind-9.2.4, it is probably no longer maintained. So I had to compile it from scratch, for the impatient I have hosted the .deb here.

First remove old bind9 package and download bind-9.5.0-P1.tar.gz from http://www.isc.org/index.pl?/sw/bind/view/?release=9.5.0-P2 and unpack:

$ mkdir /tmp/bind && cd !$ && tar -zxf bind-9.5.0-P1.tar.gz && cd bind-9.5.0-P1/

you might need one or all of these packages, if you’ve never build a .deb before you probably at least need dh-make

$ sudo apt-get install autotools-dev fakeroot dh-make

run dh_make and build:

$ dh_make

tweak configurations in the debian directory, I added –disable-openssl-version-check and –sysconfdir=/etc/bind to the configure options

$ sudo dpkg-buildpackage -rfakeroot

Now you should have a .deb in /tmp/bind, install it as usual

$ cd .. && sudo dpkg -i bind_9.5.0-P2-1_i386.deb

I think I didn’t configure the deb build options correctly so I didn’t get a /etc/init.d/bind9, if you’re missing that after the install, you can grab mine here. Also, when you removed bind9.2.4 it might’ve removed /var/cache/bin, if so, you need to create that directory, or whatever you specified as the directory in /etc/bind/named.conf.

If you have problems getting named to run, look for a named.run file, it should have the error message on why it exited execution. Finally, you should verify it by running something like this:

$ dig +short @localhost porttest.dns-oarc.net txt
"x.x.x.x is GREAT: 26 queries in 1.6 seconds from 26 ports with std dev 19585"

If you see GREAT, it’s working, if you see POOR, then you’re still running an outdated version of named/bind9.

How to patch bind9 in Debian sarge to get DNS cache poisoning exploit patch

UPDATE (8/7/08):

The patch posted below actually does NOT fix the cache poisoning problem, please check out my follow up post instead. The original is included below but please note that it does not fix the security problem.

original blog post:

Most of you have heard about the DNS cache poisoning exploit, it is serious, most operating systems have security updates to get the latest bind9/named package and if you update you’re ok. However, Debian terminated security supports for Sarge/3.1 on March 1st. So if you’re like me still running sarge and don’t have the time to upgrade to etch or something newer, you’re kindda in a bad situation if you need to run a DNS. Luckily, Debian makes it really easy to compile and install custom packages, so here is how you can patch it up manually.

Check what you have installed, yup, it’s vulnerable:

$ dpkg -l | grep bind9
ii bind9 9.2.4-1sarge3 Internet Domain Name Server
ii bind9-host 9.2.4-1sarge3 Version of 'host' bundled with BIND 9.X

Install the source package for BIND9.

$ cd /usr/src && sudo apt-get source bind9
Reading Package Lists... Done
Building Dependency Tree... Done
Need to get 4667kB of source archives.
Get:1 http://ftp.us.debian.org sarge/main bind9 1:9.2.4-1sarge3 (dsc) [741B]
Get:2 http://ftp.us.debian.org sarge/main bind9 1:9.2.4-1sarge3 (tar) [4564kB]
Get:3 http://ftp.us.debian.org sarge/main bind9 1:9.2.4-1sarge3 (diff) [102kB]
Fetched 4667kB in 8s (534kB/s)
dpkg-source: extracting bind9 in bind9-9.2.4

Go patch it up:

$ cd bind9-9.2.4/

Apply this patch, either with patch(1) or manually, I did it manually just to be safe:

Index: inet_network.c
diff -u inet_network.c:1.5 inet_network.c:1.6
--- inet_network.c:1.5	Wed Apr 27 04:56:21 2005
+++ inet_network.c	Tue Jan 15 04:02:01 2008
@@ -84,9 +84,9 @@
 	if (!digit)
 		return (INADDR_NONE);
+	if (pp >= parts + 4 || val > 0xffU)
+		return (INADDR_NONE);
 	if (*cp == '.') {
-		if (pp >= parts + 4 || val > 0xffU)
-			return (INADDR_NONE);
 		*pp++ = val, cp++;
 		goto again;
$ sudo vi lib/bind/inet/inet_network.c

build the package, this will generate a .deb:

$ cd .. && sudo apt-get -b source bind9

install the package:

$ sudo dpkg -i bind9_9.2.4-1sarge3_i386.deb