Debian Security Advisory

DSA-1603-1 bind9 -- DNS cache poisoning

Date Reported:
08 Jul 2008
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2008-1447.
CERT's vulnerabilities, advisories and incident notes: VU#800113.
More information:

Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.

This update changes Debian's BIND 9 packages to implement the recommended countermeasure: UDP query source port randomization. This change increases the size of the space from which an attacker has to guess values in a backwards-compatible fashion and makes successful attacks significantly more difficult.

Note that this security update changes BIND network behavior in a fundamental way, and the following steps are recommended to ensure a smooth upgrade.

1. Make sure that your network configuration is compatible with source port randomization. If you guard your resolver with a stateless packet filter, you may need to make sure that no non-DNS services listen on the 1024--65535 UDP port range and open it at the packet filter. For instance, packet filters based on etch's Linux 2.6.18 kernel only support stateless filtering of IPv6 packets, and therefore pose this additional difficulty. (If you use IPv4 with iptables and ESTABLISHED rules, networking changes are likely not required.)

2. Install the BIND 9 upgrade, using "apt-get update" followed by "apt-get install bind9". Verify that the named process has been restarted and answers recursive queries. (If all queries result in timeouts, this indicates that networking changes are necessary; see the first step.)

3. Verify that source port randomization is active. Check that the /var/log/daemon.log file does not contain messages of the following form

named[6106]: /etc/bind/named.conf.options:28: using specific query-source port suppresses port randomization and can be insecure.

right after the "listening on IPv6 interface" and "listening on IPv4 interface" messages logged by BIND upon startup. If these messages are present, you should remove the indicated lines from the configuration, or replace the port numbers contained within them with "*" sign (e.g., replace "port 53" with "port *").

For additional certainty, use tcpdump or some other network monitoring tool to check for varying UDP source ports. If there is a NAT device in front of your resolver, make sure that it does not defeat the effect of source port randomization.

4. If you cannot activate source port randomization, consider configuring BIND 9 to forward queries to a resolver which can, possibly over a VPN such as OpenVPN to create the necessary trusted network link. (Use BIND's forward-only mode in this case.)

Other caching resolvers distributed by Debian (PowerDNS, MaraDNS, Unbound) already employ source port randomization, and no updated packages are needed. BIND 9.5 up to and including version 1:9.5.0.dfsg-4 only implements a weak form of source port randomization and needs to be updated as well. For information on BIND 8, see DSA-1604-1, and for the status of the libc stub resolver, see DSA-1605-1.

The updated bind9 packages contain changes originally scheduled for the next stable point release, including the changed IP address of L.ROOT-SERVERS.NET (Debian bug #449148).

For the stable distribution (etch), this problem has been fixed in version 9.3.4-2etch3.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your bind9 package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Architecture-independent component:
HP Precision:
Intel IA-32:
Intel IA-64:
Big-endian MIPS:
Little-endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.