[Pdns-users] PowerDNS Security Announcement 2016-01

Remi Gacogne remi.gacogne at powerdns.com
Fri Sep 9 13:44:59 UTC 2016


Hi Alejandro,

On 09/09/2016 03:27 PM, Alejandro Adroher Mellado wrote:
> I have 5 of the affected Authoritatives with version 3.4.7. Before to
> update the version up to 3.4.10 or 4, I'd like to protect them with
> dnsdist, but the QNameWireLengthRule and QNameLabelsCountRule has
> been added on last dnsdist version 1.1.0-beta1, and we have  1.0.0.
> 
> There is any way to be protected using dnsdist v 1.0.0 ... at least
> during the weekend before the proper updates I will on next week?

First of all, keep in mind that the issues fixed in 3.4.10 are of low to
medium severity only, and simply having dnsdist in front of your servers
already mitigates CVE-2016-5426 since dnsdist will drop qnames with a
wirelength > 255.

Ideally I would advise upgrading to dnsdist 1.1.0-beta1 if you can,
because filtering would be much easier then. That being said in dnsdist
1.0.0 you can use addLuaAction() and a bit of Lua code to do some basic
checks. dq.qname:toString() will give you a string representation of the
query's qname.

-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160909/8be71fe5/attachment.sig>


More information about the Pdns-users mailing list