What existing solutions to be protected from BIND critical security vulnerability?

At the end of July 2015, a BIND critical security vulnerability affecting all versions of DNS (Domain Name System) Bind 9 servers was discovered. This vulnerability – one of the most important highlighted in recent years – could be exploited by hackers to make a DoS attack on all DNS servers concerned (from version 9.1.0 to Bind 9.10.2-P2).

  • Why is this vulnerability critical?

The vulnerability is critical because it allows remote attackers to cause a denial of service via a TKEY query. As every IT manager knows, if the DNS server is not responding, the whole domain is not reachable.

But this vulnerability is unusual because it does not require a specific configuration to be vulnerable. Most of the time, Bind security issues are limited in scope or affect only users having a particular set of configuration choices. CVE-2015-5477 does not fall into that category. Almost all unpatched BIND servers are potentially vulnerable. There is no known configuration workarounds.

  • What are the existing solutions?

There is no configuration workaround to protect against the BIND vulnerability or a way to prevent its exploitation through access control lists.

Patching is one option. The needed patch can be found here.

However, patching can be tricky. So a long term solution is to run a product like Solid server Hybrid DNS Engine from Efficient IP. It is an appliance integrating 3 different DNS engines (BIND, NSD, Unbound) so that you can switch automatically from one engine to the other in case of zero-day or critical vulnrability.

In one click when needed, you have the possibility to switch from a classical DNS server to an alternative DNS server not being impacted by BIND vulnerabilities. It gives you more control on risk management to protect your DNS infrastructure. It is simple to use, easy to install and quickly operational.

As a partner of Efficient IP and considering the current environment, Nellsoft strongly recommends to go for Hybrid DNS Engine in order to reduce cyber threats to the DNS.

In order to get more information on this solution, please click here.


Leave a Reply

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team. We send about 3-4 communications a year and never share our contacts with anyone.

You have Successfully Subscribed!

Inscrivez vous à notreNewsletter

Inscrivez-vous pour garder le contact avec nous. Nous envoyons quelques emails par an et ne partageons notre liste avec personne.

Votre inscription a réussi!