[Pdns-users] PowerDNS Security Announcement 2016-01
Alejandro Adroher Mellado
alejandro.adroher at omniaccess.com
Mon Sep 12 10:47:22 UTC 2016
Sorry .... solved now.
chroot:./ option enabled on both recursor and authoritative seems the main cause.
Having both services under same directory ... is enough to chroot only one of boths?
Thanks Ale.
-----Original Message-----
From: Pdns-users [mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of Alejandro Adroher Mellado
Sent: lunes, 12 de septiembre de 2016 12:38
To: Remi Gacogne <remi.gacogne at powerdns.com>; pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] PowerDNS Security Announcement 2016-01
Can be file socket permissions ...?
0 srw-rw---- 1 root pdns 0 Sep 12 11:35 pdns.controlsocket
4.0K -rw-r--r-- 1 root root 6 Sep 12 11:35 pdns.pid
0 srwxr-xr-x 1 root root 0 Sep 12 11:35 pdns_recursor.controlsocket
4.0K -rw-r--r-- 1 root root 6 Sep 12 11:35 pdns_recursor.pid
-----Original Message-----
From: Pdns-users [mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of Alejandro Adroher Mellado
Sent: lunes, 12 de septiembre de 2016 12:33
To: Remi Gacogne <remi.gacogne at powerdns.com>; pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] PowerDNS Security Announcement 2016-01
Hi all ...
I've recently updated one Authoritative from 3.4.7 to 4.0.1-1pdns.trusty.
The service is working fine but I can't restart it. (I use gmysql backend) The log says .... Previous controlsocket './var/run/pdns.controlsocket' is in use
And my config is like :
Api key configured
Carbon server configured
chroot=./
config-dir=/etc/powerdns
daemon=no
guardian=no
launch=gmysql
local-address=172.16.5.140
local-port=53
logging-facility=3
loglevel=4
module-dir=/usr/local/lib/pdns (gmysql config)
out-of-zone-additional-processing=yes
setgid=pdns
setuid=pdns
socket-dir=/var/run
I deleted the socket once time I killed the process to avoid socket reuse issues .... is well recreated when the service start, but I still cannot restart the service.
A " service pdns status " tells me about the service is not running .... but it is. Tested with nslookup.
Can someone tells me what I'm missing........
Thanks a lot.
-----Original Message-----
From: Pdns-users [mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of Alejandro Adroher Mellado
Sent: viernes, 9 de septiembre de 2016 16:02
To: Remi Gacogne <remi.gacogne at powerdns.com>; pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] PowerDNS Security Announcement 2016-01
Thanks Remi.
-----Original Message-----
From: Pdns-users [mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of Remi Gacogne
Sent: viernes, 9 de septiembre de 2016 15:45
To: pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] PowerDNS Security Announcement 2016-01
Hi Alejandro,
On 09/09/2016 03:27 PM, Alejandro Adroher Mellado wrote:
> I have 5 of the affected Authoritatives with version 3.4.7. Before to
> update the version up to 3.4.10 or 4, I'd like to protect them with
> dnsdist, but the QNameWireLengthRule and QNameLabelsCountRule has been
> added on last dnsdist version 1.1.0-beta1, and we have 1.0.0.
>
> There is any way to be protected using dnsdist v 1.0.0 ... at least
> during the weekend before the proper updates I will on next week?
First of all, keep in mind that the issues fixed in 3.4.10 are of low to medium severity only, and simply having dnsdist in front of your servers already mitigates CVE-2016-5426 since dnsdist will drop qnames with a wirelength > 255.
Ideally I would advise upgrading to dnsdist 1.1.0-beta1 if you can, because filtering would be much easier then. That being said in dnsdist
1.0.0 you can use addLuaAction() and a bit of Lua code to do some basic checks. dq.qname:toString() will give you a string representation of the query's qname.
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list