One security vulnerability can enable a successful denial of service attack, disabling your DNS.
Most of the vulnerabilities discovered in BIND are ways to trigger INSIST or ASSERT failures, which cause BIND to exit. When an external user can reliably cause the BIND process to exit, that is a very effective denial of service attack. Nanny scripts can restart BIND, but in some cases it may take hours to reload, and the server is vulnerable to being shut down again.
Why take unnecessary RISK?
This DNS outage is almost always preventable with advance notification.
How Does It Work?
ISC follows a careful, published process for handling all serious reported issues.
We are usually able to handle BIND vulnerabilities with a managed disclosure process.*
When we discover the vulnerability through our own testing, or it is reported to ISC privately, we first verify the problem and then we work around the clock on a solution. Once we have a solution, we schedule a coordinated public announcement. As much as five days BEFORE the public announcement, (at least 3 business days) we notify our subscribers of the problem, individually and privately, and offer them a revised version of BIND that fixes the problem.
*In some cases, a vulnerability is disclosed publicly by the reporter, in which case, we will not be able to manage the disclosure.
You can protect your DNS, even if hackers release exploit kits immediately after the announcement.
Contact ISC to sign up for this subscription-based service.
- One annual flat fee covers any organization, regardless of size.
- Requires executing a Non Disclosure Agreement.
- Designate up to four individuals to be notified.
- Receive notification, with a patch or patched version of BIND 3 days prior to public announcement
- Your subscription helps to sustain ISC’s open source efforts
We recommend keeping your software up to date, and subscribing to Advance Security Notifications for a secure BIND implementation.Get Advance Security Notification
How Often Are There Vulnerabilities?
BIND is not on the list of the top 50 software applications as far as reported security vulnerabilities, but we do typically learn of 4-5 new serious vulnerabilities every year.
The website, cvedetails.com, displays information on past vulnerabilities by vendor and product. ISC maintains the original announcements in our knowledge base, along with a matrix showing which vulnerabilities applied to which releases.