COMMAND

    BIND

SYSTEMS AFFECTED

    BIND 9.1.0

PROBLEM

    Max Vision found following.   The BIND 9.1.0beta releases and  now
    BIND  9.1.0  include  another  hard  coded  chaos  record   called
    "authors".  So  now even if  an admin changes  or suppresses their
    version reply string,  a remote user  can still determine  whether
    the server is running BIND 9.x.  With the recent discovery of  the
    tsig bug in  BIND there will  probably be a  huge rise in  version
    queries.  Some attackers may remove ambiguity by skipping  servers
    that reply to authors.bind (inferring that it's bind 9.1.0 and not
    vulnerable).

        % dig @ns.example.com authors.bind chaos txt

    or

        % nslookup -q=txt -class=CHAOS authors.bind. ns.example.com
        Server:  ns.example.com
        Address:  23.23.23.23

        authors.bind    text = "Bob Halley"
        authors.bind    text = "Mark Andrews"
        authors.bind    text = "James Brister"
        authors.bind    text = "Michael Graff"
        authors.bind    text = "David Lawrence"
        authors.bind    text = "Michael Sawyer"
        authors.bind    text = "Brian Wellington"
        authors.bind    text = "Andreas Gustafsson"

    The following Snort signature will detect these probes:

        alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS480/named-probe-authors";
        content: "|07|authors|04|bind"; depth: 32; offset: 12; nocase;)
        http://whitehats.com/info/IDS480

SOLUTION

    Queries  like  above  can  be  suppressed  using  the  new  "view"
    capability, like the following:

        view "external-chaos" chaos {
             match-clients { any; };
             recursion no;
             zone "." {
                     type hint ;
                     file "/dev/null";
                     };
             };

    and a  similar entry  for hesiod  records.   Queries then  against
    either chaos or hesiod records will come back as "servfail".

    Alternatively, creating  your own  "bind." domain  with CH, rather
    than IN,  records for  SOA and  TXT data  will override  hardcoded
    values like "bind." domain that has this record:

        version.bind.    0    ch   txt     "Who knows"

    so that if one doesn't use  a "view" to block chaos records,  then
    at least he gives out only information that he want to give out.

    Changing the version string on  a 8.2.3 or 9.1.0 server  to report
    4.9.5  would  be  a  good  solution.   Script  kiddies  and   more
    experienced crackers will attempt BIND4 exploits on your BIND8  or
    9 server  and confuse  them for  a while.   Hopefully by  then you
    would have noticed the activity.  Automated notification to  one's
    pager will help.

    For the absolute paranoid, this  patch will disable at least  that
    fingerprinting:

    --- server.c.org        Tue Jan 30 20:25:57 2001
    +++ server.c    Tue Jan 30 20:23:03 2001
    @@ -1667,7 +1667,7 @@
            CHECK(create_bind_view(&view));
            ISC_LIST_APPEND(lctx.viewlist, view, link);
            CHECK(create_version_zone(cctx, server->zonemgr, view));
    -       CHECK(create_authors_zone(server->zonemgr, view));
    +/*     CHECK(create_authors_zone(server->zonemgr, view));*/
            dns_view_freeze(view);
            view = NULL;