[Pdns-announce] Workaround for PowerDNS Security Advisory 2014-02
bert hubert
bert.hubert at netherlabs.nl
Tue Dec 9 14:31:36 UTC 2014
Hi everybody,
>From PowerDNS users we have heard of problems caused by various domain names
related to PowerDNS Security Advisory 2014-02 (CVE-2014-8601),
http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/
If you are not yet in a position to upgrade to 3.6.2, or even if you have
upgraded and traffic for these domains is causing CPU spikes anyhow, we
recommend the following configuration line as a workaround:
auth-zones=ezdns.es=nullzone,ezdns.gs=nullzone,ezdns.it=nullzone,ezdns.la=nullzone,ezdns.me=nullzone,ezdns.ms=nullzone,ezdns.pl=nullzone,ezdns.pm=nullzone,ezdns.re=nullzone,ezdns.so=nullzone,ezdns.sx=nullzone,ezdns.tf=nullzone,ezdns.wf=nullzone,ezdns.yt=nullzone
And this file 'nullzone':
@ 3600 IN SOA ns hostmaster 2013041204 9000 450 604800 450
@ 3600 IN NS ns1
ns1 3600 IN A 127.0.0.1
You might need to add a path to nullzone for this to work reliably.
This functions pretty well for us in testing. It will kill some domains that
currently don't work anyhow, but relax your CPU a lot if you are under
attack.
You can update auth-zones using 'rec_control reload-zones' at runtime
without restarting the recursor, which will discover new zones to be blocked
or no no longer blocked.
Again, if you have any questions, please either contact us on our mailing
lists, or privately via powerdns.support at powerdns.com (should you wish to
make use of our SLA-backed support program).
Bert
--
PowerDNS Website: http://www.powerdns.com/
Contact us by phone on +31-15-7850372
More information about the Pdns-announce
mailing list