djbdns Security

~Anders Brownworth - Saturday, March 7, 2009 8:08 AM

This past Tuesday, March 3rd, 2009 was somewhat of a momentous day. It marked the end of a security hole free run for the djbdns package that started way back in February 11, 2001. That's over 8 years without a security related issue discovered in the code! In Internet time, that's quite simply an eternity.

djbdns is a DNS software package written by Dan Bernstein of the University of Illinois at Chicago. It replaces the functionality of BIND, the Internet's most popular DNS server. However, while popular, BIND has had some fairly serious security holes in its lifetime. They include a number of root exploits and various cache poisoning exploits like the one uncovered by Dan Kamainsky that threatened to take down the entire Internet! djbdns had classically been immune to these attacks and offered as close to a "set it up and forget it" DNS server as you could get. Dan backed up his software by offering a $1,000 prize to the person who could demonstrate a security flaw in the software.

However, this past Tuesday, Dan confirmed a security flaw had been found in a post to the gmane.network.djbdns newsgroup and awarded $1,000 to Matt Dempsky who found the bug. The flaw is exposed only when a tinydns server delegates authority for a subdomain of the main domain to an un-trusted third party. The bug effectively enabled the third party to cache (and therefor modify) names in the parent domain. Of course you would have to have a delegation like this and ask that sub-domain server for a name that is usually served by the main server as well so this flaw isn't major by any stretch of the imagination. It does, however, violate the trust relationship and is therefor a security hole.

Dan will be releasing an updated version of djbdns but you can patch the existing latest version of djbdns (1.0.5) with the following:

--- response.c.orig 2009-02-24 21:04:06.000000000 -0800
+++ response.c 2009-02-24 21:04:25.000000000 -0800
@@ -34,7 +34,7 @@
uint16_pack_big(buf,49152 + name_ptr[i]);
return response_addbytes(buf,2);
}
- if (dlen <= 128)
+ if ((dlen <= 128) && (response_len < 16384))
if (name_num < NAMES) {
byte_copy(name[name_num],dlen,d);
name_ptr[name_num] = response_len;

Tags

Trackbacks

To send a trackback, use the URL of this story appending ?page=tb at the end.

Comments (0)

Leave a Comment

Name:
Location: (city / state / country)
Email: (not published / no spam)

No HTML is allowed. Cookies must be enabled to post. Your comment will appear on this page after a moderator OKs it. Offensive content will not be published.

Click the banana to submit your comment.

To create links in comments:

[link:http://www.anders.com/] becomes http://www.anders.com/

[link:http://www.anders.com/|Anders.com] becomes Anders.com

Notice there is no rel="nofollow" in these hrefs. Links in comments will carry page rank from this site so only link to things worthy of people's attention.

Thursday, September 2, 2010

You can subscribe to this technology blog.

What's Here:

About Me:


Name: Anders Brownworth
Location: Cambridge, MA, USA
Work: Writing iPhone and Android applications at Bandwidth.
Play: Technology, World Traveler and Licensed Helicopter Pilot
Follow:
more...

Books:

Lars Brownworth's book on Byzantine History spawned from our 12 Byzantine Rulers podcast:



or get the Audiobook in iTunes

Contact Me:

Name:
Email:

Click the banana to submit. (Why?)

Want to stop form spam on your website? Try JustHumans.com.
user:
pass: