Dear Aleph, I'll leave it to your discresion as to whether this should go public. For me this is simply a problem relating to adding MX records with 192.168.xx.xx addresses to internal name servers. Some people may assume that if they rely on DNS data for their own domains, they are only relying on the intergrety of their own servers. With BIND 8 this appears not to be true. If somone can change the delegation of a domain, or make a new domain like EMIT. or 168.192.IN-ADDR.ARPA., bind 8 will accept the data pointed to via route servers etc. in place of local master files. While searching for some kind of "option to get the old behaviour" I found a report about this in the BIND-USERS archive of 2 months ago, but it appears to have been seen as someone who could not configure the program properly. I have just emailed Patrick Volkerding as I happen to have taken this bind from his distribution. The question is the old one of whether bad-people can use this knowledge better than their potential victims. There is no exploit here to get you control of a route server in the fist place, but there is no quick fix either. Backing off this version probably means back to something with greater vulnerabilities. Replacing names with IPs in every context would be a pain. If nothing else, producing a fake 168.192.IN-ADDR.ARPA. would be a DOS attack against thousands of internal services as tcpds would refuse connections. Yours Ian > >This appears to be due to an email which I sent to Paul Vixie and Cricket >Liu about what I took to be an intentional change in behaviour. One or >other of them must have decided this is a bug. In which case I should >probably add that the bind I have found this with is BIND-8.1.2-REL >taken from the Slackware 3.6.0 distribution. >The bug is that domains which have valid delegations within the DNS >system can not be overriden with local master files. IE. If I make >a master file for microsoft.com, www.microsoft.com remains with the >IP microsoft give it and not what I give it. Domains which are >delegated to me eg EMIT.PL. a or domains which have no delegation >anywhere eg. EMIT. work as expected. >Yours >Ian > >bind-bugsat_private wrote> >>Greetings. (This is an automated response. There is no need to reply.) >> >>Your message regarding: >> Non-delegated master domains >>has been received and assigned a request number of 18. >> >>In order help us track the progress of this request, we ask that you >>include the string [BIND-BUGS #18] in the subject line of any further mail >>about this particular request. >>For example: >> Subject: [BIND-BUGS #18] Non-delegated master domains >> >>You may do this simply by replying to this email. >>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:32 PDT