Comments on BIND 9 Vulnerability And Solution - Patch BIND To Avoid Cache Poisoning (Fedora/CentOS)

BIND 9 Vulnerability And Solution - Patch BIND To Avoid Cache Poisoning (Fedora/CentOS) I am pretty sure most of you guys have hard about the Vulnerability in BIND. Dan Kaminsky earlier this month announced a massive, multi-vendor issue with DNS that could allow attackers to compromise any name server - clients, too. I thought I would share with you all one of the quickest solutions systems administrators running BIND 9 can use to help solve this vulnerability in case their systems are vulnerable.

2 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By:
Reply  

If you have a server with an nonsupported FC release, i.e. FC7, you can upgrade from SRPMS from FC9 like described below

1) Download the SOURCE rpms (in this case ftp.uio.no):
cd /tmp
wget ftp://ftp.uio.no/linux/Fedora/updates/9/SRPMS/bind-9.5.0-33.P1.fc9.src.rpm
rpm -ivh bind-9.5.0-33.P1.fc9.src.rpm

2) Build the RPMS:
cd /usr/src/redhat/SPECS
First try:
rpmbuild -bb bind.spec
You may have to install missing rpms with yum like:
yum update postgresql-devel mysql-devel unixODBC-devel
Try again:
rpmbuild -bb bind.spec
If OK, proceed to 3), else repeat.

3) Check out the binary RPMS produced:

cd /usr/src/redhat/RPMS/i386
ls -l total 10416
-rw-r--r-- 1 root root 1706252 2008-07-30 09:11 bind-9.5.0-33.P1.fc7.i386.rpm
-rw-r--r-- 1 root root   58218 2008-07-30 09:11 bind-chroot-9.5.0-33.P1.fc7.i386.rpm
-rw-r--r-- 1 root root 4130721 2008-07-30 09:11 bind-debuginfo-9.5.0-33.P1.fc7.i386.rpm
-rw-r--r-- 1 root root 3277876 2008-07-30 09:11 bind-devel-9.5.0-33.P1.fc7.i386.rpm
-rw-r--r-- 1 root root  978048 2008-07-30 09:11 bind-libs-9.5.0-33.P1.fc7.i386.rpm
-rw-r--r-- 1 root root  274739 2008-07-30 09:11 bind-sdb-9.5.0-33.P1.fc7.i386.rpm
-rw-r--r-- 1 root root  195075 2008-07-30 09:11 bind-utils-9.5.0-33.P1.fc7.i386.rpm

4) Backup your bind config files.
 

5) Which bind rpms are installed on my machine?
rpm -qa | grep "^bind"
bind-9.4.2-4.fc7
bind-chroot-9.4.2-4.fc7
bind-libs-9.4.2-4.fc7
bind-utils-9.4.2-4.fc7

6) Upgrade only the RPMs what you have installed on your machine:

rpm -Uvh bind-9.5.0-33.P1.fc7.i386.rpm bind-chroot-9.5.0-33.P1.fc7.i386.rpm bind-libs-9.5.0-33.P1.fc7.i386.rpm bind-utils-9.5.0-33.P1.fc7.i386.rpm

7) Check the log and verify that everything is OK.

By:
Reply  

I was able to build the RPMs but they wouldn't install on FC3:

error: Failed dependencies:

  chkconfig >= 1.3.26 is needed by bind-9.5.0-33.P1.i386
  libdns.so.16 is needed by bind-libs-9.5.0-33.P1.i386
  libisc.so.7 is needed by bind-libs-9.5.0-33.P1.i386
  libisccc.so.0 is needed by bind-libs-9.5.0-33.P1.i386
  libbind.so.3 is needed by (installed) sendmail-8.13.1-4.legacy.i386