×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Dan Bernstein Confirms Security Flaw In Djbdns

timothy posted more than 5 years ago | from the gets-yer-money-and-takes-yer-chances dept.

Security 66

secmartin writes "Dan Bernstein has just admitted that a security issue has been found in the djbdns software, one of most popular alternatives for the BIND nameserver. As part of the djbdns security guarantee, $1000 will be paid to Matthew Dempsky, the researcher that found the bug. The bug allows a nameserver running djbdns to be poisoned using just a single packet. Other researchers have found a separate issue that allows dnscache, the DNS cache that is also part of the djbdns package, to be poisoned within just 18 minutes when using the default configuration. Anyone using djbdns is strongly encouraged to patch their servers immediately." Reader emad contributes a link to the djbdns mailing list post containing both a patch and a sample exploit, and adds: "In the words of Dan Kaminsky (of recent DNS security fame): 'However, Dempsky's bug in djb's tinydns is way more surprising, if only because ... holy crap, he pulled an exploitable scenario out of THAT?!'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

66 comments

Do not use for anything important (4, Funny)

Wonko the Sane (25252) | more than 5 years ago | (#27082373)

Why would anyone trust critical internet infrastructure to a piece of software that averages a security flaw every decade?

Real admins stick to a proven solution such as Bind.

Re:Do not use for anything important (1)

Omnifarious (11933) | more than 5 years ago | (#27082455)

*laugh* Yes, such a low security flaw rate is highly suspicious, and worse yet doesn't create enough work for admins! Bind is much, much better in this regard.

Could be worth more thsn 1K (0)

Anonymous Coward | more than 5 years ago | (#27082403)

I think the upgraded reputation of Dempsky will be worth more than $1000.

BTW, First

Re:Could be worth more thsn 1K (1)

Slumdog (1460213) | more than 5 years ago | (#27082587)

I think the upgraded reputation of Dempsky will be worth more than $1000.

BTW, First

Ok, you're not First....how does that upgrade your reputation?

Re:Could be worth more thsn 1K (0)

Anonymous Coward | more than 5 years ago | (#27084469)

And *you* have a username (apparently recently registered) that shares a name with a rather mediocre, overhyped recent movie =p

Yes! Yay for Dempsky (1)

Slumdog (1460213) | more than 5 years ago | (#27082409)

Its uncommon for D.J. Bernstein to admit a mistake (take qmail for example).

Re:Yes! Yay for Dempsky (0)

Anonymous Coward | more than 5 years ago | (#27086327)

I know! The news here ISN'T so much that a security flaw has been found, but that Dan Bernstein has actually admitted it's a flaw!

(There's no security flaws in Qmail because nobody runs Qmail on 64 bit machines with many gigabytes of RAM, says Dan. Of course, the amount of RAM is irrelevant if ALSR and suchlike is in use..)

Maybe he's getting a little more humble as gets older?

Re:Yes! Yay for Dempsky (1)

Onymous Coward (97719) | more than 5 years ago | (#27087625)

How does Address Space Layout Randomization (ASLR) affect total memory usage and its implications for counter values?

4 GB per process is what they were talking about. Really, seems improbable to me. Isn't that a bit like too many coops in one basket?

Hell must have frozen over (4, Interesting)

MichaelSmith (789609) | more than 5 years ago | (#27082419)

DBJ admitted to a bug.

I run qmail by the way. DJB writes good stable software but I get the impression he is not a good listener.

Re:Hell must have frozen over (1)

pak9rabid (1011935) | more than 5 years ago | (#27082655)

DJB writes good stable software but I get the impression he is not a good listener.

Agreed. I have issues with his 'fuck what the rest of the community does, it's my way or the high way' mentality. One of the reasons I opted for MaraDNS instead of djbdns at one of our smaller sites.

Re:Hell must have frozen over (1)

morgan_greywolf (835522) | more than 5 years ago | (#27082893)

'fuck what the rest of the [world] does, it's my way or the high way'

Why does that attitude seem so familiar? There was a guy with that attitude I'd heard about once before...S....t....uart? No....S...t..an? No......S...t...e...

Aw, hell, I can't think of it. Anyhow, last name started with 'J'.

Re:Hell must have frozen over (2, Funny)

Randle_Revar (229304) | more than 5 years ago | (#27087891)

I recently saw a blog post contemplating what it would be like if Jorg Schilling (cdrtools/cdrecord) got in an argument with Daniel Bernstein.

I figure for real entertainment, add in ESR, the XFree86 guys and Tuomov (Ion WM)

Re:Hell must have frozen over (0)

Anonymous Coward | more than 5 years ago | (#27106981)

Got a spare chair that you can handcuff Hans Reiser to?

Re:Hell must have frozen over (1)

secmartin (1336705) | more than 5 years ago | (#27087967)

Well actually, in this case, he seems to be having a better attitude; he's confirmed that there is a real issue, and even links to Dempsky's patch. So there appears to be some improvement here, which was one of the reasons I submitted this to slashdot!

Re:Hell must have frozen over (1)

gweihir (88907) | more than 5 years ago | (#27088455)

Me too. DJBs documentation and configuration approach is also highly confusing. I have run Qmail for 4 years now on what used to be my main machine. When it runs, it runs fine, but it was a real adventure getting there. For new intallations I now use Postfix. Far, far less obscure to configure.

The oder problem with DJBs software that actually broke thing, is his ideas about time handling. I had to drop his ntp software because of that.

My bottom line is that with regard to security and stability DJBs stuff is second to none. However the usability, interoperability and documentation angles can be a real problem.

Re:Hell must have frozen over (0, Troll)

Slumdog (1460213) | more than 5 years ago | (#27083163)

DBJ admitted to a bug. I run qmail by the way. DJB writes good stable software but I get the impression he is not a good listener.

I'll give you a bit of "Trivia" fact about D.J. Bernstein. His father is Dr. H.J.Bernstein, another professor who is not a good listener, but talks a lot and complains a lot (he was kicked out of SUNY Stony Brook.) I hear that DJB never visits his father for years at a stretch. What does that tell you about his upbringing?

Re:Hell must have frozen over (4, Insightful)

discord5 (798235) | more than 5 years ago | (#27083515)

I hear that DJB never visits his father for years at a stretch. What does that tell you about his upbringing?

Yeah, well, I heard that he eats babies. If you want to smear the guy's reputation go with the part that most people here actually care about: his work. There's ample opportunity in that department to bash him, sometimes even rightly so.

Re:Hell must have frozen over (1)

Slumdog (1460213) | more than 5 years ago | (#27083983)

If you want to smear the guy's reputation

I really don't want to smear/spear his reputation. Just explaining the origins of his reputation as someone who disregards suggestions

the part that most people here actually care about: his work.

A person's influence doesn't end with his work. His actions and arrogance are important too.

Re:Hell must have frozen over (2, Informative)

pseudonomous (1389971) | more than 5 years ago | (#27084365)

I've met him, he was a proffessor at my university when I was an undergrad, he used to help the math club practice for taking the Putnam exam. He's actually a fairly nice guy when you meet him in person.

Re:Hell must have frozen over (1)

Just Some Guy (3352) | more than 5 years ago | (#27090627)

He's actually a fairly nice guy when you meet him in person.

His students might disagree [slashdot.org].

Re:Hell must have frozen over (0)

Anonymous Coward | more than 5 years ago | (#27099541)

You disagree(as is well documented in your posting history), but his students don't appear to.

Re:Hell must have frozen over (0)

Anonymous Coward | more than 5 years ago | (#27094227)

At least he doesn't chop up his wife and feed her to pigeons!

I don't care if he dances in an orange tutu - The code is tight and there's little room for mistakes. I do wish he would extend just a little bit though.

Re:Hell must have frozen over (0)

Anonymous Coward | more than 5 years ago | (#27086371)

You obviously don't know what you are talking about. H.J. Bernstein never worked in SUNY Stony Brook.

Re:Hell must have frozen over (1)

rahvin112 (446269) | more than 5 years ago | (#27083525)

He's a collage professor. If he "listened" his head would explode from all the bad information he receives from young college students that think they know everything.

It's survival instinct to stop listening once you become a teacher, otherwise the results could be catastrophic. The teacher could become aware that all the students are idiots that make garden snails look like PhD candidates and attempt mass murder of the student body.

News Flash: Teacher listens to students and climbs bell tower with high power rifle.

Re:Hell must have frozen over (1)

khellendros1984 (792761) | more than 5 years ago | (#27084525)

collage professor

young college students

Tee hee =p

Re:Hell must have frozen over (1)

timothy (36799) | more than 5 years ago | (#27087435)

In my sister's college application essays (one of them, at least), she outlined her reasons for wanting to attend a "four-year collage." Will always make me chuckle.

(But then, my brother teased me for years for pronouncing "pier" identically to "pyre.")

timothy

Re:Hell must have frozen over (0)

Anonymous Coward | more than 5 years ago | (#27092003)

In my sister's college application essays (one of them, at least), she outlined her reasons for wanting to attend a "four-year collage." Will always make me chuckle.

And this from a Slashdot editor...

Yay! (2, Interesting)

Anonymous Coward | more than 5 years ago | (#27082441)


DJBDNS now has 1/3 as many exploits as OpenBSD for the past decade+.

How's Microsoft doing on that front?

Oh wait.

Re:Yay! (0)

Anonymous Coward | more than 5 years ago | (#27083137)

Microsoft does not stop at 1/3.

Re:Yay! (0)

Anonymous Coward | more than 5 years ago | (#27086339)

They embrace and extend the vulnerabilities, then patent the techniques.

This is all part of their plan to eventually maintain legal rights to all software flaws, thus ultimately protecting us from them as we won't be able to re implement them in our products.

People don't give Microsoft enough credit for their altruism.

Re:Yay! (1)

mokus000 (1491841) | more than 5 years ago | (#27084779)

To be fair, Windows is probably proportionally about as much larger than (the default install of) OpenBSD as OpenBSD is than DJBDNS.

So you ought to allow Windows about 9 vulnerabilities in that time ;-)

Seriously though, I wonder what sort of rate expected number of vulnerabilities should increase with respect to size of a codebase, given somehow equivalent levels of "correctness". Intuitively, i suspect it'd be at least O(size^2), if not much, much faster.

Re:Yay! (0)

Anonymous Coward | more than 5 years ago | (#27085005)

Given the probability b of a bug in a unit of code, the probability of that unit of code being correct is 1-b. Two units of code with equal probability of being incorrect then have a combined probability of (both) being correct which is (1-b)*(1-b). Three units: (1-b)^3, four units (1-b)^4, and so on. The correctness probability decays exponentially with code complexity. KISS.

This should be front page news (5, Funny)

Omnifarious (11933) | more than 5 years ago | (#27082523)

Finding a security flaw in anything Dan Bernstein writes is definitely worthy of being on the front page, even if almost everybody uses Bind instead.

Re:This should be front page news (4, Funny)

Anonymous Coward | more than 5 years ago | (#27082591)

finding anyone who uses anything Dan Bernestein writes is definitely worthy of being on the front page.

Re:This should be front page news (0)

Anonymous Coward | more than 5 years ago | (#27088577)

I use djbdns you insensitive clod. :(

DJBDNS HOCKS (0)

Anonymous Coward | more than 5 years ago | (#27083757)

DAMN!!!
I Am to put offline our company DNS SERVERS ( 6 Pentium MMX233 with 1Gb RAM each one, for almost 5000 machines behind in a kind of "cluster") for the 4 time last 13Y.
Hei Mr. Dan.. how can this.. 4 times in 13y. i believe in you, was suppose to never happens this.. :-)
DJBDNS HOCKS.

oh, _that_'s the bug? (5, Insightful)

Onymous Coward (97719) | more than 5 years ago | (#27084021)

Since I'm one of the admins who's enjoyed having an vulnerability-free djbdns installation for years, I thought I'd look more into the vuln.

Say what you will about DJB, other than being seemingly ornery he appears to be forthright and focused on correctness. In under a week he confirms the vuln and posts a patch and awards the security guarantee money. This is the kind of behavior I want from the people who build my software. http://article.gmane.org/gmane.network.djbdns/13864 [gmane.org]

Here's the bug:

If the administrator of example.com publishes the example.com DNS data
through tinydns and axfrdns, and includes data for sub.example.com
transferred from an untrusted third party, then that third party can
control cache entries for example.com, not just sub.example.com.

How many of you are running domains like this? It's not something I need to bother patching for. Ah, I guess that's another great thing about the relative rarity of bugs. If one is found it's less likely to be relevant for your particular situation.

The article submitter says:

"Anyone using djbdns is strongly encouraged to patch their servers immediately."

I think "anyone" is a bit strong here.

what about the man's attitude? (5, Insightful)

Onymous Coward (97719) | more than 5 years ago | (#27084125)

I just realized this:

The next release of djbdns will be backed by a new security guarantee.
In the meantime, if any users are in the situation described above,
those users are advised to apply Dempsky's patch and requested to accept
my apologies.

He's apologizing. How's that for forthright behavior? He's not being evasive. He's not pointing fingers. He's owning up to personal error, and expressing what appears to be compunction. For one bug in a decade.

Yeah, tell me how you don't like his attitude. I think it's fine.

Mr. Bernstein, good work I say. Thank you very much for your efforts and skill and honesty.

Re:what about the man's attitude? (2, Informative)

myowntrueself (607117) | more than 5 years ago | (#27084581)

Well yeah, I am amazed!

When someone (Fyodor iirc) found an exploit in qmail way back, Dan was in complete denial and was quite disingenuous about the whole thing.

Re:what about the man's attitude? (1)

Onymous Coward (97719) | more than 5 years ago | (#27087463)

(George Guninski.)

As I'm very interested in knowing the truth of claims regarding Bernstein's misbehavior, it would help me very much if you could point to specific quotes or actions of his that show "complete denial" and being "disingenuous". Thanks!

Re:what about the man's attitude? (1)

secmartin (1336705) | more than 5 years ago | (#27087961)

Have a look at the article, there's a short summary about the qmail issue. In short, there was a security issue, but because it can only be exploited if qmail was assigned gigabytes of memory (the bug involved a 32-bit memory address), DJB didn't think it was an actual issue.

To quote: Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmailâ(TM)s assumption that allocated array lengths fit comfortably into 32 bits.

Re:what about the man's attitude? (1)

Onymous Coward (97719) | more than 5 years ago | (#27088453)

Oh, that's what you mean by "complete denial". I thought you meant denial as in

Denial is a defense mechanism postulated by Sigmund Freud, in which a person is faced with a fact that is too uncomfortable to accept and rejects it instead, insisting that it is not true despite what may be overwhelming evidence.

I didn't realize you meant it in the simple sense of "to state that something is not true".

But maybe you actually do mean the defense mechanism version? I guess then that there would have to be overwhelming evidence. Do you see it as likely or possible that qpopd would be given 4 GB of (even virtual) memory? I'm not familiar with how it's normally run. Anyone?

What about the disingenuous part? Is that also for denying the feasibility of the vulnerability scenario? I take it you think he really believes it's a feasible vuln and he's not being honest about it?

Re:what about the man's attitude? (1)

RedHat Rocky (94208) | more than 5 years ago | (#27091481)

I agree with DJB. If you worked for me and setup qmail with gigs of memory for each qmail-smptd, I'd fire you. That's an intentional mis-config, not to mention bad practice.

Re:what about the man's attitude? (1)

myowntrueself (607117) | more than 5 years ago | (#27097107)

A simple Google search for Fyodor qmail exploit should do it. Its not hard to find references to.

Re:what about the man's attitude? (1)

Onymous Coward (97719) | more than 5 years ago | (#27097831)

George Guninski, I'll say again.

I'm pretty sure that's the exploit in question. If you disagree, could you link please?

Re:what about the man's attitude? (1)

Ice Station Zebra (18124) | more than 5 years ago | (#27084597)

Yep, most of what you hear about DJB is nothing more than internet myth and/or people who can't disagree without getting angry.

Re:what about the man's attitude? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27084941)

He's ponying up a thousand dollars, that tells you all you need to know. The closed-source providers make millions from their software, yet how much do they pay out to bug-finders? Bugger all!

Re:what about the man's attitude? (0)

Anonymous Coward | more than 5 years ago | (#27096781)

Mr. Bernstein, good work I say. Thank you very much for your efforts and skill and honesty.

It's Dr. Bernstein, and he does do exceptionally good work!

Re:oh, _that_'s the bug? (1)

rthille (8526) | more than 5 years ago | (#27084997)

I have to agree there, as a user of tinydns/dnscache, this bug doesn't affect me because I don't let other people serve their records from my install of DJBDNS. If I did, I'd likely ask them for a 'data' file, look it over manually and manually install it. yeah it's more of a PITA than AXFR, but for my needs it is fine.

Even the other bug with the 200 outstanding requests for a record would be problematic to exploit on my network, since I only allow trusted computers on my network and you have to be on my network to get to my dnscache server. So, the exploit would have to trick a resolver on a client computer on my network to make those 200 identical requests. I think breaking a window and taking my server would be easier :-)

Re:oh, _that_'s the bug? (0)

Anonymous Coward | more than 5 years ago | (#27085541)

How many of you are running domains like this? It's not something I need to bother patching for.

When I first discovered this bug and started to think of how to exploit it, I was very hesitant of whether it would actually qualify for exactly this reason.

However, just because most djbdns installations aren't setup this way doesn't mean it can't affect a lot of users. I'm specifically thinking of services like FreeDNS (freedns.afraid.org).

Now, FreeDNS uses BIND instead of djbdns, but they allowed me to register burlap.afraid.org and set it up with arbitrary DNS records transferred from AXFR. If they were running tinydns/axfrdns, I could have used this bug to poison the A records for ns[1234].afraid.org, and then taken over all 250,000 domains they host.

EveryDNS does use djbdns, and I was able to trigger this bug on their servers, but because I couldn't register burlap.everydns.net, I couldn't actually trick any DNS caches with it. If they did allow me to register that domain, however, I could have taken over all 280,000 domains they host.

I seem to recall other sites that used to allow you to register free third-level domain names, but can't recall any off-hand. If they used djbdns and allowed AXFR slaving, they would be at risk.

There are also a handful of third party DNS providers that use tinydns/axfrdns. DJB lists on his djbdns blurb page [cr.yp.to] "directNIC, MyDomain/NamesDirect, Interland, Dotster, Easyspace, Namezero, Netfirms, and Rackspace Managed Hosting". I did confirm that some of these run tinydns/axfrdns, but I have not looked to see if any of them allow you to register subdomains of their own. If they did, you would be able to take over all of their customers' domains.

So I don't expect a lot of users are at risk to need to install this patch. However, the users that do are more likely to put hundreds of thousands of domain names at risk if they don't.

-- Matthew

Re:oh, _that_'s the bug? (1)

Onymous Coward (97719) | more than 5 years ago | (#27087561)

Well, yes, the bug is a very big deal for certain implementations. Though counting per installation they may be rare, the extent of their effect is quite great.

I expect it would be fairly trivial for these sites to update (though this is highly dependent). Or was trivial, as I imagine they've already done it.

Considering the extent, your find is of great value. Thanks. Considering the uniqueness of your find and the renown of the software, this is historic. Congratulations.

And I hear you were responsible in your disclosure. If that's the case, then thanks very much for that too.

Re:oh, _that_'s the bug? (0)

Anonymous Coward | more than 5 years ago | (#27086047)

It's important even if you aren't running that scenario now, you might later at such a time when you've forgotten about the security issue.

Re:oh, _that_'s the bug? (1)

Onymous Coward (97719) | more than 5 years ago | (#27087489)

This is very interesting. The idea of patching when harmless though not necessary has some appeal to me, as a ward against future problems as you say, but something doesn't seem quite right about it.

It's unlikely that I'll forget "The djbdns Bug", but more relevantly I don't anticipate accidentally implementing service of delegated subdomains.

Re:oh, _that_'s the bug? (1)

shaitand (626655) | more than 5 years ago | (#27088451)

You make it sound like this is the rarest thing in the world. It a solid and substantial vulnerability.

Maybe you don't have any third party controlled sub-domains but I assure you it is actually quite common.

Re:oh, _that_'s the bug? (1)

Onymous Coward (97719) | more than 5 years ago | (#27092647)

You make it sound like this is the rarest thing in the world. It a solid and substantial vulnerability.

I don't mean to make it sound like the "rarest thing in the world". But I wouldn't expect maybe a single Slashdotter to be in this position. Otherwise, please note my comment here [slashdot.org].

Re:oh, _that_'s the bug? (1)

shaitand (626655) | more than 5 years ago | (#27094357)

'But I wouldn't expect maybe a single Slashdotter to be in this position.'

Sub-domain hosting is actually a fairly common thing. If I used tinydns I'd be at risk for this vulnerability now.

Please tell me my tired brain... (0)

Anonymous Coward | more than 5 years ago | (#27084807)

was the only one that produced, "Dan Bernstein Confirms Security Flaw in Dildos."

I'mma go... get some cu-tips. Maybe a couple of boxes of cu-tips.

Confessions of a long-term djb/tiny dns user (1)

MC68040 (462186) | more than 5 years ago | (#27088617)

First of all, I really like djbdns! Up until two weeks ago I ran it for our my employer (700~ tlds) and it had been running flawless for the last 4 years.

The reason, in the end, for the switch is due to the administrative workload of using djbdns.

Pushing updates to other servers usually involves pushing the .cdb data file to the dns/root directory of each of the resolves. Ok one chore, fine. The problem is in managing the database.

Managing 50-100 records command line is feasible, but if you have a lot of domain and turn over a lot of requests for modifications a day this quickly becomes a pain.

We built a script to store the records in a sql database then create the data file, create the cdb from that, then push the updated file across the network.

Our new dns server runs directly to the SQL db, provides solid query caching.. Now I just have to replicate a sql db which is comparatively pain-free :)

Not had my morning coffee yet so please pardon the grammar/seplling ;)

We did that too. (1)

Grendel Drago (41496) | more than 5 years ago | (#27120493)

I had to check to make sure you weren't my old boss! A place I worked about a year ago did that. Our systems automatically registered hosted domain names and dropped the list of subdomains into our database. A cron job pulled records from there, generated the data file, compiled it and told tinydns to reload it.

I really appreciated djbdns's data format after having dealt with BIND at my last job. I remember it being disturbingly finicky about its input--there are plenty of ways to kill your DNS server if, for instance, you didn't increment the serial (why on earth doesn't it just use the timestamp in seconds?) or left out a period somewhere.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...