One security vulnerability can enable a successful denial of service attack, disabling your DNS.
Most of the vulnerabilities discovered in BIND 9 are ways to trigger INSIST or ASSERT failures, which cause BIND to exit. When an external user can reliably cause the BIND process to exit, that is a very effective denial of service (DoS) attack. Nanny scripts can restart BIND 9, but in some cases it may take hours to reload, and the server is vulnerable to being shut down again.
Why take unnecessary risk? Protect yourself and your organization by subscribing to ISC’s ASN service.
This annual subscription-based service protects your BIND servers.
One yearly flat fee covers any organization, regardless of size. You may designate up to four individuals to be notified in the event of a security vulnerability. Your organization will receive notification before the general public, with a patch or patched version of BIND three days prior to any public announcement.
Please note that ASN requires execution of a Non-Disclosure Agreement, to protect both ISC and its customers.
How Does the ASN Work?
ISC follows a careful, published process for handling all serious reported issues.
We are usually able to handle BIND 9 vulnerabilities with our managed disclosure process.*
When a vulnerability is discovered, either through our own testing or by a private report to ISC, we first verify the problem and then we work around the clock to address it. Once we have a solution, we schedule a coordinated public announcement. As much as five days (and at least 3 business days) BEFORE the public announcement, we notify our subscribers of the problem, individually and privately, and offer them a revised version of BIND that fixes the problem.
If you are running a current version of a major operating system, we have a restricted-access repository for our subscribers, where we update the packages for you.
* In some cases, a vulnerability is disclosed publicly by the reporter, in which case we are not able to manage the disclosure.
You can protect your DNS. Contact us to find out how.
How Often Are There Vulnerabilities in BIND 9?
BIND 9 is not on the list of the top 50 software applications as far as reported security vulnerabilities, but we do typically learn of 4-5 new serious vulnerabilities every year. Most of the new vulnerabilities discovered have been in the software for years, but they are exposed by new software “fuzz testing” techniques that can hammer the software with random malformed messages until one impairs the server’s function. Even if an existing vulnerability has never been used in an Internet attack, it is still important to update BIND 9 servers to prevent future abuse.
The website cvedetails.com displays information on past vulnerabilities by vendor and product. ISC maintains the original announcements in our Knowledgebase, along with a matrix showing which vulnerabilities apply to which BIND 9 releases.