A vulnerability was discovered in the named DNS server implementation contained in the development branch builds of BIND 9.
This is a story of catastrophe averted. It’s a case study for the value of fuzzing in software development.
Synopsys Cybersecurity Research Center (CyRC) researchers discovered a denial-of-service vulnerability in development branch builds of BIND 9 by Internet Systems Consortium (ISC). Had this vulnerability gone unnoticed in a stable release version, nearly two-thirds of the internet’s name servers would have been vulnerable to a trivial-to-execute denial-of-service attack.
The story of this vulnerability highlights the value of security testing integrated with application development.
About BIND 9
BIND 9 is a suite of software tools related to the Domain Name System (DNS), the internet’s system for mapping alphabetic names to numeric internet protocol (IP) addresses. The vulnerability was located in the named (short for “name daemon”) DNS server implementation contained in BIND 9.
Named is a free software product distributed with most UNIX and Linux platforms. As of 2015, it is the most widely used domain name server software and the de facto standard on UNIX-like operating systems. In September 2020, a survey revealed that BIND 9 was used on 65% of DNS servers.
The vulnerability was discovered in development branch builds of BIND 9, before it was introduced into stable builds and released for widespread mainstream adoption.
About the vulnerability
For an attack to be successful, the target server needs to run a version of named with TLS support enabled and configured. Sending a DNS request with an opcode other than ..
Support the originator by clicking the read the rest link below.
