DNS issues could leave users in a BIND

Migrating from the long-outdated Berkeley Internet Name Daemon (BIND) 8 to the improved BIND 9 might be easier with the availability of an upgrade guide designed to educate remaining BIND 8 users of the inherent security risks of using the old version.

BIND is the open source reference implementation of the Domain Name System (DNS), much like a network phone book that translates computer hostnames into IP addresses.

The guide is the work of Redwood City, Calif.-based Internet Software Consortium (ISC) and Santa Clara, Calif.-based provider of utility-grade core network services Infoblox Inc. It will be available on Sept. 20, the day following a Webinar featuring a high-level discussion on the guide’s contents.

BIND 8 was introduced by ISC in 1997 and was subsequently rewritten and replaced by BIND 9 in 2000, followed by a couple of years of tweaking.

Once complete, nobody was actually told to stop using its predecessor BIND 8, said Paul Vixie, ISC founder and BIND 8 author. “Now we’re getting around to telling people there are some security bugs and performance problems and portability problems in Bind 8 which we’re not going to fix because the fix was to rewrite the whole thing which we did several years ago.”

The upgrade guide will educate users as to the differences between BIND 8 and 9, and things to look out for to ensure a successful upgrade. For instance, there are different requirements around configuration files and the location of log files; and changing a name server remotely with BIND 9 requires Remote Name Demon Controller whereas its predecessor used Name Demon Controller.

The upgrade to BIND 9 may not be as straightforward as users think, given both versions are completely different code bases, said Infoblox’s Cricket Liu, a DNS expert and vice-president of architecture. “If someone were to simply do an in-place upgrade from Bind 8 to Bind 9, they’d probably find there were a few things that didn’t work the way they expected.”

The process of upgrading from BIND 8 to 9 has been “pretty much completely painless”, said Michael Richardson, a board member of Ottawa Canada Linux Users Group, and vice-president of research and development with Ottawa, Ont.-based Xelerance Corp.

Richardson has performed many upgrades and the few times he’s encountered difficulties was with configurations of non-standard features. “There were things that were added to either get around problems on the Internet or to provide for people who wanted to do things that really were not standard.”

However, most small companies don’t have complicated setups anyway, he said, and besides reasonably intelligent DNS administrators should be able to cope with performing standard upgrades.

Given it is open source software accompanied by a license that gives users free reign over its use, Vixie said it’s impossible to tell users to stop using BIND 8. But he cautions that BIND 8 has security issues that make it “unsuitable for the Web.”

Richardson agreed, citing ‘DNS poisoning’ as a specific security concern with BIND 8 where a hacker can predict, with relatively good accuracy, the query that a computer will make.

According to a survey commissioned by Infoblox, about 14 per cent of name servers on the Internet are BIND 8. “That’s millions of name servers,” said Liu.

Those who persist with BIND 8, said Liu, tend to fall in two categories. There are those who, to their knowledge, haven’t experienced breaches with BIND 8 and are content to keep it. This majority group may not be comfortable upgrading to a version they know little about.

The other group, said Liu, actually had a reason to run BIND 8 because it supports functionality that BIND 9 didn’t. “So if you have one of these configurations, you might be compelled to stay with BIND 8,” he said, adding that up until six months to a year ago, BIND 9 is pretty much on par with its predecessor.

Also contributing to the issue, said Richardson, is that users have old systems that don’t get upgraded. “There was a BIND 8 that was available for Windows and there are a lot of Windows systems that never get upgraded.”

On the surface, Vixie said most users won’t see much difference with the upgrade, unless “you are a real power user who got pretty deeply into the features of this thing.”

Richardson thinks the guide will prove valuable nonetheless. “It’s always useful. If Google can find, people will use it.”

Download the guide

Related Download
Real-time visibility Sponsor: Interactive Intelligence
Real-time visibility
Get real-time visibility in the contact centre. See immediate benefits. Real-time visibility in the contact centre is crucial. When you do not have the info you need to make decisions, you lose out on the single best way to create a competitive advantage. Solving this issue is simple, though.
Register Now