One security vulnerability can enable a successful denial of service attack, disabling your DNS.
Most of the vulnerabilities discovered in BIND are ways to trigger INSIST or ASSERT failures, which cause BIND to exit. When an external user can reliably cause the BIND process to exit, that is a very effective denial of service attack. Nanny scripts can restart BIND, but in some cases it may take hours to reload, and the server is vulnerable to being shut down again.
Sign up for this subscription-based service to protect your BIND servers.
- One annual flat fee covers any organization, regardless of size.
- Requires executing a Non Disclosure Agreement.
- Designate up to four individuals to be notified.
- Receive notification, with a patch or patched version of BIND 3 days prior to public announcement
- Your subscription helps to sustain ISC’s open source efforts
How Does It Work?
ISC follows a careful, published process for handling all serious reported issues.
We are usually able to handle BIND vulnerabilities with a managed disclosure process.*
When we discover the vulnerability through our own testing, or it is reported to ISC privately, we first verify the problem and then we work around the clock on a solution. Once we have a solution, we schedule a coordinated public announcement. As much as five days BEFORE the public announcement, (at least 3 business days) we notify our subscribers of the problem, individually and privately, and offer them a revised version of BIND that fixes the problem.
*In some cases, a vulnerability is disclosed publicly by the reporter, in which case, we will not be able to manage the disclosure.
You can protect your DNS
How Often Are There Vulnerabilities?
BIND is not on the list of the top 50 software applications as far as reported security vulnerabilities, but we do typically learn of 4-5 new serious vulnerabilities every year. Most of the new vulnerabilities discovered have been in the software for years, but they are being exposed by new software ‘fuzz testing’ techniques that can hammer the software with random malformed messages until it finds one that impairs the server. Even though these may not have ever been used in an Internet attack, it is still important to update your server to protect against some future abuse.
The website, cvedetails.com, displays information on past vulnerabilities by vendor and product. ISC maintains the original announcements in our knowledge base, along with a matrix showing which vulnerabilities applied to which releases.