[Pdns-users] Workaround for PowerDNS Security Advisory 2014-02

bert hubert bert.hubert at netherlabs.nl
Tue Dec 9 14:31:36 UTC 2014


Hi everybody,

>From PowerDNS users we have heard of problems caused by various domain names
related to PowerDNS Security Advisory 2014-02 (CVE-2014-8601),
http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/

If you are not yet in a position to upgrade to 3.6.2, or even if you have
upgraded and traffic for these domains is causing CPU spikes anyhow, we
recommend the following configuration line as a workaround:

auth-zones=ezdns.es=nullzone,ezdns.gs=nullzone,ezdns.it=nullzone,ezdns.la=nullzone,ezdns.me=nullzone,ezdns.ms=nullzone,ezdns.pl=nullzone,ezdns.pm=nullzone,ezdns.re=nullzone,ezdns.so=nullzone,ezdns.sx=nullzone,ezdns.tf=nullzone,ezdns.wf=nullzone,ezdns.yt=nullzone

And this file 'nullzone':
@		3600	IN	SOA	ns hostmaster 2013041204 9000 450 604800 450
@		3600	IN	NS	ns1
ns1		3600	IN	A	127.0.0.1

You might need to add a path to nullzone for this to work reliably.

This functions pretty well for us in testing. It will kill some domains that
currently don't work anyhow, but relax your CPU a lot if you are under
attack.  

You can update auth-zones using 'rec_control reload-zones' at runtime
without restarting the recursor, which will discover new zones to be blocked
or no no longer blocked.

Again, if you have any questions, please either contact us on our mailing
lists, or privately via powerdns.support at powerdns.com (should you wish to
make use of our SLA-backed support program).

	Bert

-- 
PowerDNS Website: http://www.powerdns.com/
Contact us by phone on +31-15-7850372




More information about the Pdns-users mailing list