<?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>12. PowerDNS Security Advisory 2012-01: PowerDNS Authoritative Server can be caused to generate a traffic loop</title><link rel="stylesheet" href="docbook.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /><link rel="home" href="index.html" title="PowerDNS manual" /><link rel="up" href="powerdns.html" title="Chapter 1. The PowerDNS dynamic nameserver" /><link rel="prev" href="powerdns-advisory-2010-02.html" title="11. PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data" /><link rel="next" href="thanks-to.html" title="13. Acknowledgements" /></head><body><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">12. PowerDNS Security Advisory 2012-01: PowerDNS Authoritative Server can be caused to generate a traffic loop</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="powerdns-advisory-2010-02.html">Prev</a> </td><th width="60%" align="center">Chapter 1. The PowerDNS dynamic nameserver</th><td width="20%" align="right"> <a accesskey="n" href="thanks-to.html">Next</a></td></tr></table><hr /></div><div class="sect1" title="12. PowerDNS Security Advisory 2012-01: PowerDNS Authoritative Server can be caused to generate a traffic loop"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="powerdns-advisory-2012-01"></a>12. PowerDNS Security Advisory 2012-01: PowerDNS Authoritative Server can be caused to generate a traffic loop</h2></div></div></div><p> </p><div class="table"><a id="idp7725408"></a><p class="title"><b>Table 1.8. PowerDNS Security Advisory</b></p><div class="table-contents"><table summary="PowerDNS Security Advisory" border="1"><colgroup><col /><col /></colgroup><tbody><tr><td> CVE </td><td> CVE-2012-0206 </td></tr><tr><td> Date </td><td> 10th of January 2012 </td></tr><tr><td> Credit </td><td> Ray Morris of <a class="ulink" href="http://BetterCGI.com/" target="_top">BetterCGI.com</a>. </td></tr><tr><td> Affects </td><td> Most PowerDNS Authoritative Server versions < 3.0.1 (with the exception of 2.9.22.5 and 2.9.22.6) </td></tr><tr><td> Not affected </td><td> No versions of the PowerDNS Recursor ('pdns_recursor') are affected. </td></tr><tr><td> Severity </td><td> High </td></tr><tr><td> Impact </td><td> Using well crafted UDP packets, one or more PowerDNS servers could be made to enter a tight packet loop, causing temporary denial of service </td></tr><tr><td> Exploit </td><td> Proof of concept </td></tr><tr><td> Risk of system compromise </td><td> No </td></tr><tr><td> Solution </td><td> Upgrade to PowerDNS Authoritative Server 2.9.22.5 or 3.0.1 </td></tr><tr><td> Workaround </td><td> Several, the easiest is setting: cache-ttl=0, which does have a performance impact. Please see below. </td></tr></tbody></table></div></div><p><br class="table-break" /> </p><p> Affected versions of the PowerDNS Authoritative Server can be made to respond to DNS responses, thus enabling an attacker to setup a packet loop between two PowerDNS servers, perpetually answering each other's answers. In some scenarios, a server could also be made to talk to itself, achieving the same effect. </p><p> If enough bouncing traffic is generated, this will overwhelm the server or network and disrupt service. </p><p> As a workaround, if upgrading to a non-affected version is not possible, several options are available. The issue is caused by the packet-cache, which can be disabled by setting 'cache-ttl=0', although this does incur a performance penalty. This can be partially addressed by raising the query-cache-ttl to a (far) higher value. </p><p> Alternatively, on Linux systems with a working iptables setup, 'responses' sent to the PowerDNS Authoritative Server 'question' address can be blocked by issuing: </p><pre class="screen"> iptables -I INPUT -p udp --dst $AUTHIP --dport 53 \! -f -m u32 --u32 "0>>22&0x3C@8>>15&0x01=1" -j DROP </pre><p> If this command is used on a router or firewall, substitute FORWARD for INPUT. </p><p> To solve this issue, we recommend upgrading to the latest packages available for your system. Tarballs and new static builds (32/64bit, RPM/DEB) of 2.9.22.5 and 3.0.1 have been uploaded to <a class="ulink" href="http://www.powerdns.com/content/downloads.html" target="_top">our download site</a>. Kees Monshouwer has provided updated CentOS/RHEL packages in <a class="ulink" href="http://www.monshouwer.eu/download/3th_party/" target="_top">his repository</a>. Debian, Fedora and SuSE should have packages available shortly after this announcement. </p><p> For those running custom PowerDNS versions, just applying this patch may be easier: </p><pre class="screen"> --- pdns/common_startup.cc (revision 2326) +++ pdns/common_startup.cc (working copy) @@ -253,7 +253,9 @@ numreceived4++; else numreceived6++; - + if(P->d.qr) + continue; + S.ringAccount("queries", P->qdomain+"/"+P->qtype.getName()); S.ringAccount("remotes",P->getRemote()); if(logDNSQueries) { </pre><p> It should apply cleanly to 3.0 and with little trouble to several older releases, including 2.9.22 and 2.9.21. </p><p> This bug resurfaced because over time, the check for 'not responding to responses' moved to the wrong place, allowing certain responses to be processed anyhow. </p><p> We would like to thank Ray Morris of <a class="ulink" href="http://BetterCGI.com/" target="_top">BetterCGI.com</a> for bringing this issue to our attention and Aki Tuomi for helping us reproduce the problem. </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="powerdns-advisory-2010-02.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="powerdns.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="thanks-to.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">11. PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 13. Acknowledgements</td></tr></table></div></body></html>