CERT warns of another BIND problem

A flaw in a software tool used to translate text-based Internet domain names into numerical addresses could make parts of the Internet vulnerable to denial-of-service attacks, the Computer Emergency Response Team (CERT) warned Tuesday.

The flaw is in certain versions of BIND (Berkeley Internet Name Domain), a widely-used piece of DNS (Domain Name System) software, CERT said in an advisory.

DNS servers running BIND 9 prior to version 9.2.1 are vulnerable. An attacker could shut down the DNS service on that server by sending a specific DNS packet. The service will then remain unavailable until restarted, CERT said.

BIND 9.2.1 was released on May 1 by the Internet Software Consortium (ISC), which distributes BIND free of charge. It is a so-called maintenance release that fixes a number of bugs in 9.2.0 but has no new features, according to the ISC Web site.

DNS servers translate text-based domain names into numeric IP (Internet Protocol) addresses. When those servers go down, users who type Web addresses — such as nba.com and fbi.gov — can’t connect to the intended servers. E-mail sent to affected domains will bounce back.

“If you can trigger something that shuts down the name server, than that is a serious matter,” said Petur Petursson, chief executive officer of Men & Mice Inc., a DNS consultancy firm in Reykjavik, Iceland.

“It is normal for a company to run two name servers. If you manage to shoot both of them down, the company will disappear from the Internet,” Petursson said.

BIND 9.2.1 is available for free download from the ISC Web site. BIND is also often part of software sold by server software vendors. These vendors may offer their own patches, according to CERT, which urges users of BIND 9 to either upgrade or apply a patch.

The vulnerability of the DNS is seen as an important Internet security concern. The Internet Corporation for Assigned Names and Numbers (ICANN), the organization that oversees the Internet’s addressing system, has formed a security committee aimed, in part, at examining DNS security holes.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now