BIND vulnerability — What to know, how to update.

On July 28, researchers at the Internet Systems Consortium (ISC) responsible for overseeing the development and maintenance of BIND, announced that they had discovered a code defect which can allow denial of service (DoS) attacks to be executed relatively easily against BIND servers.  A deliberately constructed packet can exploit an error in the handling of queries for TKEY records, permitting a DoS and affecting server availability

Since BIND is the most widely used implementation of Domain Name System (DNS) protocols for the Internet, this defect has widespread implications.  All versions of BIND 9, beginning with BIND 9.1.0, up to and including BIND 9.9.7-P1 and BIND 9.10.2-P2 are vulnerable.

Because this code defect occurs relatively early in packet processing — before limits on authoritative or recursive services are applied — blocking DoS attacks using access control lists or server configuration is not feasible.  Deployment of a patched version is the recommended fix.

The good news:

Patches that update BIND, and close this vulnerability, are available for SUSE Linux Enterprise 10, 11 and 12.

For more information on this vulnerability – including how to determine if your system is affected and how to update properly in order to secure your systems uptime – the best place to start is the Knowledge Base article and the BIND patch information page.