Note: This is an archival copy of Security Sun Alert 201104 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000824.1.
Article ID : 1000824.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-11-07
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

The in.named(1M) Process May Make Unnecessary Queries Causing a Denial of Service

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System

Bug Id
6315143

Date of Resolved Release
08-NOV-2005

Impact

An unprivileged remote user may be able to cause a Denial of Service (DoS) of the Domain Name System (DNS) by causing in.named(1M) to make unnecessary queries to root servers for address records.

Applications, systems and devices relying on the Domain Name System may then fail.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 9 without patch 112970-09

x86 Platform

  • Solaris 9 without patch 114354-08

Note: Solaris 8 and Solaris 10 are not affected by this issue.

The described issue only occurs on systems configured as an Internet Domain Name System (DNS) server. A system is configured to be a DNS server if the configuration file "/etc/named.conf" exists, (see named.conf(4)).


Symptoms

The DNS server receives a magnitude of requests for domains that the server is not authoritative for.

Subsequently the DNS server makes queries to root servers for IPv6 address records which are already cached by the server.

In order to verify that in.named(1M) is experiencing this issue, a network monitoring tool such as snoop(1M) can be used from either the specific system or another system on the same network.

Run the following command as "root":

    # snoop -o <output-file> port 53 DNS-server-address

Afterwards, the snoop(1M) utility can display the packets captured in the "output-file" using the "-i" option, as in:

    # snoop -i output-file

Inspect the output for sequences of repetative DNS packets to root servers which will look similar to the following:

    # snoop -o snoop.out2  port 53 dns-server
    Using device /dev/dmfe0 (promiscuous mode)
    52 ^C
    # snoop -i snoop.out
      1  0.00000   dns-server -> E.ROOT-SERVERS.NET DNS C B.ROOT-SERVERS.NET. Internet Unknown (28) ?
      2  0.00030   dns-server -> E.ROOT-SERVERS.NET DNS C B.ROOT-SERVERS.NET. Internet Unknown (38) ?
      3  0.00028   dns-server -> E.ROOT-SERVERS.NET DNS C J.ROOT-SERVERS.NET. Internet Unknown (28) ?
      4  0.00024   dns-server -> E.ROOT-SERVERS.NET DNS C J.ROOT-SERVERS.NET. Internet Unknown (38) ?
      5  0.00024   dns-server -> E.ROOT-SERVERS.NET DNS C K.ROOT-SERVERS.NET. Internet Unknown (28) ?
      6  0.00023   dns-server -> E.ROOT-SERVERS.NET DNS C K.ROOT-SERVERS.NET. Internet Unknown (38) ?
      7  0.00025   dns-server -> E.ROOT-SERVERS.NET DNS C L.ROOT-SERVERS.NET. Internet Unknown (28) ?
      8  0.00024   dns-server -> E.ROOT-SERVERS.NET DNS C L.ROOT-SERVERS.NET. Internet Unknown (38) ?
      9  0.00025   dns-server -> E.ROOT-SERVERS.NET DNS C M.ROOT-SERVERS.NET. Internet Unknown (28) ?
     10  0.00038   dns-server -> E.ROOT-SERVERS.NET DNS C M.ROOT-SERVERS.NET. Internet Unknown (38) ?
     11  0.00027   dns-server -> E.ROOT-SERVERS.NET DNS C I.ROOT-SERVERS.NET. Internet Unknown (28) ?
     12  0.00024   dns-server -> E.ROOT-SERVERS.NET DNS C I.ROOT-SERVERS.NET. Internet Unknown (38) ?
     13  0.17107 E.ROOT-SERVERS.NET -> dns-server   DNS R
     14  0.00055 E.ROOT-SERVERS.NET -> dns-server   DNS R
     15  0.00006 E.ROOT-SERVERS.NET -> dns-server   DNS R
     16  0.00018 E.ROOT-SERVERS.NET -> dns-server   DNS R
     17  0.00007 E.ROOT-SERVERS.NET -> dns-server   DNS R
     18  0.00008 E.ROOT-SERVERS.NET -> dns-server   DNS R
     19  0.00004 E.ROOT-SERVERS.NET -> dns-server   DNS R
     20  0.00004 E.ROOT-SERVERS.NET -> dns-server   DNS R
     21  0.00018 E.ROOT-SERVERS.NET -> dns-server   DNS R
     22  0.00003 E.ROOT-SERVERS.NET -> dns-server   DNS R
     23  0.00006 E.ROOT-SERVERS.NET -> dns-server   DNS R
     24  0.00010 E.ROOT-SERVERS.NET -> dns-server   DNS R
     25 13.26216   dns-server -> d.root-servers.net DNS C B.ROOT-SERVERS.NET. Internet Unknown (28) ?
     26  0.00029   dns-server -> d.root-servers.net DNS C B.ROOT-SERVERS.NET. Internet Unknown (38) ?
     27  0.00025   dns-server -> d.root-servers.net DNS C J.ROOT-SERVERS.NET. Internet Unknown (28) ?
     28  0.00024   dns-server -> d.root-servers.net DNS C J.ROOT-SERVERS.NET. Internet Unknown (38) ?
     29  0.00024   dns-server -> d.root-servers.net DNS C K.ROOT-SERVERS.NET. Internet Unknown (28) ?
     30  0.00023   dns-server -> d.root-servers.net DNS C K.ROOT-SERVERS.NET. Internet Unknown (38) ?
     31  0.00024   dns-server -> d.root-servers.net DNS C L.ROOT-SERVERS.NET. Internet Unknown (28) ?
     32  0.00023   dns-server -> d.root-servers.net DNS C L.ROOT-SERVERS.NET. Internet Unknown (38) ?
     33  0.00027   dns-server -> d.root-servers.net DNS C M.ROOT-SERVERS.NET. Internet Unknown (28) ?
     34  0.00023   dns-server -> d.root-servers.net DNS C M.ROOT-SERVERS.NET. Internet Unknown (38) ?
     35  0.00024   dns-server -> d.root-servers.net DNS C I.ROOT-SERVERS.NET. Internet Unknown (28) ?
     36  0.00023   dns-server -> d.root-servers.net DNS C I.ROOT-SERVERS.NET. Internet Unknown (38) ?
     37  0.08847 d.root-servers.net -> dns-server   DNS R
     38  0.00006 d.root-servers.net -> dns-server   DNS R
     39  0.00005 d.root-servers.net -> dns-server   DNS R
     40  0.00002 d.root-servers.net -> dns-server   DNS R
     41  0.00002 d.root-servers.net -> dns-server   DNS R
     42  0.00008 d.root-servers.net -> dns-server   DNS R
     43  0.00019 d.root-servers.net -> dns-server   DNS R
     44  0.00003 d.root-servers.net -> dns-server   DNS R
     45  0.00004 d.root-servers.net -> dns-server   DNS R
     46  0.00002 d.root-servers.net -> dns-server   DNS R
     47  0.00003 d.root-servers.net -> dns-server   DNS R
     48  0.00003 d.root-servers.net -> dns-server   DNS R

 


Workaround

To work around the described issue, modify named.conf providing access control lists that only permit known clients to make queries. See named.conf(4) for further explanation of the following options.

For example:

    // Define a named acl that lists our networks and clients
    // which are allowed to make queries for external data.
    //
    acl our-clients { address-match-list };
    // By default only permit our-clients to make queries.
    options {
        allow-query { our-clients; };
        allow-recursion { our-clients; };
        // Add here any other options you require.
};
    // Turn on allow-query for all master/slave zone.
zone example.net {
type master;
        allow-query { any; };
        // Add here any other zone options you require.
};

 


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 9 with patch 112970-09 or later

x86 Platform

  • Solaris 9 with patch 114354-08 or later


References

112970-09
114354-08




Attachments
This solution has no attachment