<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>12. PowerDNS Security Advisory 2012-01: PowerDNS Authoritative Server can be caused to generate a traffic loop</title><link rel="stylesheet" href="docbook.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /><link rel="home" href="index.html" title="PowerDNS manual" /><link rel="up" href="powerdns.html" title="Chapter 1. The PowerDNS dynamic nameserver" /><link rel="prev" href="powerdns-advisory-2010-02.html" title="11. PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data" /><link rel="next" href="thanks-to.html" title="13. Acknowledgements" /></head><body><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">12. PowerDNS Security Advisory 2012-01: PowerDNS Authoritative Server can be caused to generate a traffic loop</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="powerdns-advisory-2010-02.html">Prev</a> </td><th width="60%" align="center">Chapter 1. The PowerDNS dynamic nameserver</th><td width="20%" align="right"> <a accesskey="n" href="thanks-to.html">Next</a></td></tr></table><hr /></div><div class="sect1" title="12. PowerDNS Security Advisory 2012-01: PowerDNS Authoritative Server can be caused to generate a traffic loop"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="powerdns-advisory-2012-01"></a>12. PowerDNS Security Advisory 2012-01: PowerDNS Authoritative Server can be caused to generate a traffic loop</h2></div></div></div><p>
</p><div class="table"><a id="idp7725408"></a><p class="title"><b>Table 1.8. PowerDNS Security Advisory</b></p><div class="table-contents"><table summary="PowerDNS Security Advisory" border="1"><colgroup><col /><col /></colgroup><tbody><tr><td>
CVE
</td><td>
CVE-2012-0206
</td></tr><tr><td>
Date
</td><td>
10th of January 2012
</td></tr><tr><td>
Credit
</td><td>
Ray Morris of <a class="ulink" href="http://BetterCGI.com/" target="_top">BetterCGI.com</a>.
</td></tr><tr><td>
Affects
</td><td>
Most PowerDNS Authoritative Server versions < 3.0.1 (with the exception of 2.9.22.5 and 2.9.22.6)
</td></tr><tr><td>
Not affected
</td><td>
No versions of the PowerDNS Recursor ('pdns_recursor') are affected.
</td></tr><tr><td>
Severity
</td><td>
High
</td></tr><tr><td>
Impact
</td><td>
Using well crafted UDP packets, one or more PowerDNS servers could be made to enter a tight packet loop, causing temporary denial of service
</td></tr><tr><td>
Exploit
</td><td>
Proof of concept
</td></tr><tr><td>
Risk of system compromise
</td><td>
No
</td></tr><tr><td>
Solution
</td><td>
Upgrade to PowerDNS Authoritative Server 2.9.22.5 or 3.0.1
</td></tr><tr><td>
Workaround
</td><td>
Several, the easiest is setting: cache-ttl=0, which does have a performance impact. Please see below.
</td></tr></tbody></table></div></div><p><br class="table-break" />
</p><p>
Affected versions of the PowerDNS Authoritative Server can be made to respond to DNS responses, thus enabling
an attacker to setup a packet loop between two PowerDNS servers, perpetually answering each other's answers. In some scenarios,
a server could also be made to talk to itself, achieving the same effect.
</p><p>
If enough bouncing traffic is generated, this will overwhelm the server or network and disrupt service.
</p><p>
As a workaround, if upgrading to a non-affected version is not possible, several options are available. The issue is caused by the packet-cache, which can be disabled by setting 'cache-ttl=0',
although this does incur a performance penalty. This can be partially addressed by raising the query-cache-ttl to a (far) higher value.
</p><p>
Alternatively, on Linux systems with a working iptables setup, 'responses' sent to the PowerDNS Authoritative Server 'question' address can be
blocked by issuing:
</p><pre class="screen">
iptables -I INPUT -p udp --dst $AUTHIP --dport 53 \! -f -m u32 --u32 "0>>22&0x3C@8>>15&0x01=1" -j DROP
</pre><p>
If this command is used on a router or firewall, substitute FORWARD for INPUT.
</p><p>
To solve this issue, we recommend upgrading to the latest packages available for your system.
Tarballs and new static builds (32/64bit, RPM/DEB) of 2.9.22.5 and 3.0.1 have been uploaded to
<a class="ulink" href="http://www.powerdns.com/content/downloads.html" target="_top">our download site</a>.
Kees Monshouwer has provided updated CentOS/RHEL packages in <a class="ulink" href="http://www.monshouwer.eu/download/3th_party/" target="_top">his repository</a>. Debian, Fedora and SuSE should have packages available shortly after this announcement.
</p><p>
For those running custom PowerDNS versions, just applying this patch may be easier:
</p><pre class="screen">
--- pdns/common_startup.cc (revision 2326)
+++ pdns/common_startup.cc (working copy)
@@ -253,7 +253,9 @@
numreceived4++;
else
numreceived6++;
-
+ if(P->d.qr)
+ continue;
+
S.ringAccount("queries", P->qdomain+"/"+P->qtype.getName());
S.ringAccount("remotes",P->getRemote());
if(logDNSQueries) {
</pre><p>
It should apply cleanly to 3.0 and with little trouble to several older releases, including 2.9.22 and 2.9.21.
</p><p>
This bug resurfaced because over time, the check for 'not responding to responses' moved to the wrong place, allowing certain responses
to be processed anyhow.
</p><p>
We would like to thank Ray Morris of <a class="ulink" href="http://BetterCGI.com/" target="_top">BetterCGI.com</a> for bringing this issue to our attention and
Aki Tuomi for helping us reproduce the problem.
</p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="powerdns-advisory-2010-02.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="powerdns.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="thanks-to.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">11. PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 13. Acknowledgements</td></tr></table></div></body></html>
