Yesterday it was announced by the Internet Systems Consortium (ISC), the corporation that maintains BIND, that a vulnerability had been found that affects all currently supported versions of BIND 9. More information about this vulnerability can be found at the following URL:
http://www.isc.org/software/bind/advisories/cve-2011-4313
How this affects easyDNS and our customers
This vulnerability specifically affects nameservers that perform recursive queries, which is when a nameserver is asked to look up a hostname on the internet. For example, when you type in “google.com” into your browser, your local ISP’s nameservers are given the task of looking up where “google.com” resolves, and then getting that answer back to your system so you can then pull up the page. These types of nameservers are generally referred to as “recursive nameservers” and/or “caching nameservers”.
The easyDNS nameservers that our customers use for their DNS management are authoritative nameservers, meaning that they only answer queries for domains that they handle, such as our customer domains. With the previous example of “google.com”, that would not work with our nameservers since they know they are not authoritative for “google.com”, and as such, do not perform recursive queries for domains they know they’re not handling. They will come back with a message essentially saying “WARNING: recursion requested but not available”.
Long story short, the nameservers that our customers rely on for their DNS management are not affected, and we will continue to upgrade and maintain them as per usual.
What about the DNSResolvers service?
Excellent question! Those nameservers ARE recursive nameservers, and would be affected by this vulnerability. Our sysAdmins will be upgrading those nameservers tonight during off-peak hours to the latest version of BIND 9 that the ISC recommends, and that will… pardon the pun… resolve the issue with them.
[ UPDATE – 2011-11-18 @ 12:12am ] The upgrades to the DNSResolvers nameservers have been completed. They are no longer susceptible to the most recent BIND 9 vulnerability.
As always, we thank you for your continued use of easyDNS, and if you have any questions, concerns or comments, please let us know.
Leave a Reply