BIND CVE-2017-3142 and CVE-2017-3143

2017-06-30 - News - Tony Finch

In case you have not already seen it, last night ISC.org announced a serious vulnerability in BIND: if you have a server which allows dynamic DNS UPDATE then a remote attacker may me able to alter your zones without proper authentication. For more details see:

Note that update-policy local; uses a well-known TSIG key name, and does not include any IP address ACL restrictions, so it is extremely vulnerable to attack. To mitigate this you can replace update-policy local; with

allow-update { !{ !localhost; any; }; key local-ddns; };

This denies updates that come from everywhere except localhost, and then allows updates with the built-in local-ddns key. For a longer explanation, see https://kb.isc.org/article/AA-00723/0/Using-Access-Control-Lists-ACLs-with-both-addresses-and-keys.html You can still use nsupdate -l with this configuration.

Our master DNS server has very strict packet filters which should be effective at mitigating this vulnerability until I can update the servers.