[Pdns-announce] Workaround for PowerDNS Security Advisory 2014-02

Wed Dec 10 12:02:21 UTC 2014

Hi everybody,

We're talking to many impacted PowerDNS users today. No matter what version
of the PowerDNS Recursor you run, if you have any problems with
ezdns/tracker.istole.it/ezrss/eztv domains today, we recommend the
'nullzoning' from below.

	Bert

On Tue, Dec 09, 2014 at 03:31:35PM +0100, bert hubert wrote:
> Hi everybody,
> 
> From PowerDNS users we have heard of problems caused by various domain names
> related to PowerDNS Security Advisory 2014-02 (CVE-2014-8601),
> http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/
> 
> If you are not yet in a position to upgrade to 3.6.2, or even if you have
> upgraded and traffic for these domains is causing CPU spikes anyhow, we
> recommend the following configuration line as a workaround:
> 
> auth-zones=ezdns.es=nullzone,ezdns.gs=nullzone,ezdns.it=nullzone,ezdns.la=nullzone,ezdns.me=nullzone,ezdns.ms=nullzone,ezdns.pl=nullzone,ezdns.pm=nullzone,ezdns.re=nullzone,ezdns.so=nullzone,ezdns.sx=nullzone,ezdns.tf=nullzone,ezdns.wf=nullzone,ezdns.yt=nullzone
> 
> And this file 'nullzone':
> @		3600	IN	SOA	ns hostmaster 2013041204 9000 450 604800 450
> @		3600	IN	NS	ns1
> ns1		3600	IN	A	127.0.0.1
> 
> You might need to add a path to nullzone for this to work reliably.
> 
> This functions pretty well for us in testing. It will kill some domains that
> currently don't work anyhow, but relax your CPU a lot if you are under
> attack.  
> 
> You can update auth-zones using 'rec_control reload-zones' at runtime
> without restarting the recursor, which will discover new zones to be blocked
> or no no longer blocked.
> 
> Again, if you have any questions, please either contact us on our mailing
> lists, or privately via powerdns.support at powerdns.com (should you wish to
> make use of our SLA-backed support program).
> 
> 	Bert
> 
> -- 
> PowerDNS Website: http://www.powerdns.com/
> Contact us by phone on +31-15-7850372