ISC Patches Critical BIND Flaw
Earlier this week, the Internet Systems Consortium (ISC) patched a critical security flaw for BIND, which could have allowed hackers to disrupt large swathes of the internet. This article explains how Domain Name Systems (DNS) work and how the BIND security flaw could theoretically impact users.
The DNS is the Internet’s primary directory service, much like a phone book – it translates domain names into the numerical IP addresses necessary for computer devices around the world. This is the vital system that lets you connect to websites using human-friendly URLs like “example.com” instead of an IP address. The DNS is composed of a worldwide network of servers. Most of these servers use BIND, software created and maintained by the ISC.
The flaw impacts versions of BIND 9, from BIND 9.1.0 to BIND 9.10.2-P2. It is particularly serious because it can be exploited to crash both authoritative and recursive DNS servers with a single packet. Authoritative DNS servers can contain records from multiple domain names, or even an entire top-level-domain like .org. Recursive DNS servers receive queries and send out the necessary information to web clients. Most computers use the recursive DNS servers maintained by their internet service provider; so if those servers are compromised, the computers they serve can no longer access websites online.
The only way to stay safe is patching, as ISC engineer Michael McNally stated in a memo:
“Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then.”