Home | FAQ | Contact | Privacy Policy
US-CERT
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

 Other Documents
Technical Alerts

Technical Bulletins

Alerts

Security Tips

Internet Systems Consortium Information for VU#800113

Date Notified:2008-04-29
Date Updated:2008-07-14
Statement Date:2008-07-03
Status Summary:Vulnerable

Vendor Statement

ISC is providing patches for BIND 9.3, 9.4 and 9.5 (tagged -P1) that
implement measures to enhance resilience against this sort of attack.
BIND accomplishes this by including the use of the source port queries
as additional information that would need to be predicted by a
successful attack.

ISC is also making beta releases, BIND 9.5.1b1 and 9.4.3b2 available
for download and testing.  These beta releases provide the same
improved resiliency as the patches but with better performance for
servers with query volumes at or above 10,000 queries per second.
They are however betas, not fully tested production releases. The
patches,(P1 versions), are fully tested today and released for
production use.  Older versions of BIND 9 and BIND 8 will not be
patched as they are EOL.

ISC notes that even with these measures, the nature of the DNS
protocol is such that attacks of this nature may still succeed. The
only solution to fully counter this sort of attack is to deploy DNSSEC
in DNS zones and enable DNSSEC validation in the resolvers.

Vendor Information

Vendor References

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Produced 2012 by US-CERT, a government organization
Disclaimers and copyright information