Blog: How Tos

Denial-of-Service bug in BIND

Jamie Riden 04 Aug 2015

Recently a bug was discovered in the TKEY handling routine of BIND – the nameserver daemon that does a large proportion of all the DNS resolution on the Internet. A crafted packet containing a malformed TKEY record can cause BIND to trigger an assertion failure and then exit. There is exploit code available, and it looks like it can be exercised as a UDP packet, meaning the source address can be spoofed. BIND is vulnerable in either recursive nameserver or authoritative configurations, so please patch any exposed instances as soon as possible.

In practical terms, this means it should be possible for anyone on the Internet to crash your nameservers without you having any idea who they are. When your authoritative nameservers are down (the ones responsible for “example.com” if you have registered “example.com”), you may start losing email that’s also how everyone else in the world looks up the appropriate mailserver to use for example.com. Your webserver will almost certainly be inaccessible if all your nameservers are crashed. Thus, while it’s “only” a denial of service, we do suggest it is rectified as soon as possible.

References:
Sucuri Blog: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
BIND advisory: https://kb.isc.org/article/AA-01272
Exploit code: https://github.com/robertdavidgraham/cve-2015-5477