DoS Flaws Haunt BIND Server Software | eWeek

DoS Flaws Haunt BIND Server Software

Écrit par
Ryan Naraine
Ryan Naraine
Jan 27, 2005
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

The nonprofit Internet Systems Consortium has rolled out fixes for a pair of denial-of-service flaws in its BIND (Berkeley Internet Name Domain) implementation of the Domain Name System protocols.

The vulnerabilities were reported in BIND versions 8.4.4, 8.4.5 and 9.3.0 and carry a “moderately critical” rating from independent research firm Secunia.

BIND is by far the most popular software for mapping domain names to IP addresses on the Internet. Vulnerabilities in BIND have triggered heated debates in security circles because of the heavy dependence on the software.

The first flaw, which only affects versions 8.4.4 and 8.4.5, is a buffer overflow error in the handling of the “q_usedns” array used by the server to track name servers and addresses that have been queried.

A successful exploit could allow an attacker to crash the service, according to an advisory from the U.S. Computer Emergency Readiness Team.

The ISC has recommended that users disable recursion and glue fetching as a temporary workaround. A comprehensive fix is available in the new ISC BIND version 8.4.6.

The second flaw, which affects BIND version 9.3.0, was found in the way BIND supports the DNS Security Extensions (DNSSEC), including the NextSECure (NSEC) RDATA Format. “An incorrect assumption in the validator function authvalidated() can result in an internal consistency test failing and named exiting,” US-CERT warned in a second advisory.

An attacker with the ability to craft specific DNS packets could exploit this vulnerability to trigger denial-of-service attacks.

Users are urged to disable dnssec validation at the Options/View level and upgrade to the new BIND version 9.3.1.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.