<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body>Yes, the freebsd maintainer was notified a few days ago and is working on it.<div><br></div><div>Secondly, the iptables command blocks incoming responses by matching packets with the QR bit in the fixed dnsheader set.</div><div><br></div><div>We tried to find a bsd equivalent command but failed to do so.</div><div><br><span style="font-size:87%">Sent from a phone, pardon my brevity!</span> </div><br><br><br> Charles Sprickman <spork@bway.net> wrote: <br><br><br><div style="word-break:break-all;">Two quick questions for those of us not running Linux:<br><br>-Are you coordinating with the FreeBSD port maintainer to get the new version pushed out? (http://www.freshports.org/dns/powerdns)<br>-For those of us unfamiliar with iptables, can you describe in a more generic fashion what that rule is accomplishing?<br><br>Thanks,<br><br>Charles<br><br>On Jan 10, 2012, at 9:01 AM, bert hubert wrote:<br><br>> Dear PowerDNS users,<br>> <br>> It saddens us to have to release this Security Advisory, the first one since<br>> almost exactly two years ago.<br>> <br>> Updated versions of the Authoritative Server are available from<br>> http://www.powerdns.com/content/downloads.html and you will find two<br>> workarounds and a patch below. <br>> <br>> A version of this announcement with clickable links is available from<br>> http://doc.powerdns.com/powerdns-advisory-2012-01.html<br>> <br>> If you have problems upgrading and would like us to help you, please contact<br>> powerdns.support@netherlabs.nl for a support arrangement.<br>> <br>> +-------------+---------------------------------------------------------------+<br>> |CVE |CVE-2012-0206 |<br>> +-------------+---------------------------------------------------------------+<br>> |Date |10th of January 2012 |<br>> +-------------+---------------------------------------------------------------+<br>> |Credit |Ray Morris of BetterCGI.com. |<br>> +-------------+---------------------------------------------------------------+<br>> |Affects |Most PowerDNS Authoritative Server versions < 3.0.1 (with the |<br>> | |exception of the just released 2.9.22.5) |<br>> +-------------+---------------------------------------------------------------+<br>> |Not affected |No versions of the PowerDNS Recursor ('pdns_recursor') are |<br>> | |affected. |<br>> +-------------+---------------------------------------------------------------+<br>> |Severity |High |<br>> +-------------+---------------------------------------------------------------+<br>> | |Using well crafted UDP packets, one or more PowerDNS servers |<br>> |Impact |could be made to enter a tight packet loop, causing temporary |<br>> | |denial of service |<br>> +-------------+---------------------------------------------------------------+<br>> |Exploit |Proof of concept |<br>> +-------------+---------------------------------------------------------------+<br>> |Risk of | |<br>> |system |No |<br>> |compromise | |<br>> +-------------+---------------------------------------------------------------+<br>> |Solution |Upgrade to PowerDNS Recursor 2.9.22.5 or 3.0.1 |<br>> +-------------+---------------------------------------------------------------+<br>> |Workaround |Several, the easiest is setting: cache-ttl=0, which does have a|<br>> | |performance impact. Please see below. |<br>> +-------------+---------------------------------------------------------------+<br>> <br>> <br>> Affected versions of the PowerDNS Authoritative Server can be made to<br>> respond to DNS responses, thus enabling an attacker to setup a packet loop<br>> between two PowerDNS servers, perpetually answering each other's answers. <br>> In some scenarios, a server could also be made to talk to itself, achieving<br>> the same effect.<br>> <br>> If enough bouncing traffic is generated, this will overwhelm the server or<br>> network and disrupt service.<br>> <br>> As a workaround, if upgrading to a non-affected version is not possible,<br>> several options are available. The issue is caused by the packet-cache,<br>> which can be disabled by setting 'cache-ttl=0', although this does incur a<br>> performance penalty. This can be partially addressed by raising the<br>> query-cache-ttl to a (far) higher value.<br>> <br>> Alternatively, on Linux systems with a working iptables setup, 'responses'<br>> sent to the PowerDNS Authoritative Server 'question' address can be blocked<br>> by issuing:<br>> <br>> # iptables -I INPUT -p udp --dst $AUTHIP --dport 53 \! -f -m u32 --u32 "0>>22&0x3C@8>>15&0x01=1" -j DROP<br>> <br>> <br>> If this command is used on a router or firewall, substitute FORWARD for INPUT.<br>> <br>> To solve this issue, we recommend upgrading to the latest packages available<br>> for your system. Tarballs and new static builds (32/64bit, RPM/DEB) of 2.9.22.5<br>> and 3.0.1 have been uploaded to our download site. Kees Monshouwer has provided<br>> updated CentOS/RHEL packages in his repository. Debian, Fedora and SuSE should<br>> have packages available shortly after this announcement.<br>> <br>> For those running custom PowerDNS versions, just applying this patch may be<br>> easier:<br>> <br>> --- pdns/common_startup.cc (revision 2326)<br>> +++ pdns/common_startup.cc (working copy)<br>> @@ -253,7 +253,9 @@<br>> numreceived4++;<br>> else<br>> numreceived6++;<br>> -<br>> + if(P->d.qr)<br>> + continue;<br>> +<br>> S.ringAccount("queries", P->qdomain+"/"+P->qtype.getName());<br>> S.ringAccount("remotes",P->getRemote());<br>> if(logDNSQueries) {<br>> <br>> It should apply cleanly to 3.0 and with little trouble to several older<br>> releases, including 2.9.22 and 2.9.21.<br>> <br>> This bug resurfaced because over time,the check for 'not responding to</div>> responses' moved to the wrong place, allowing certain responses to be processed<br>> anyhow.<br>> <br>> We would like to thank Ray Morris of BetterCGI.com for bringing this issue to<br>> our attention and Aki Tuomi for helping us reproduce the problem.<br>> <br>> Kind regards,<br>> <br>> Bert Hubert<br>> _______________________________________________<br>> Pdns-users mailing list<br>> Pdns-users@mailman.powerdns.com<br>> http://mailman.powerdns.com/mailman/listinfo/pdns-users<br><br><br> </body>