[afnog] Big DNS vulnerability

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Jul 23 08:19:42 UTC 2008

On Wed, Jul 09, 2008 at 11:05:46AM +0200,
 Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote 
 a message of 28 lines which said:

> Executive summary: upgrade your recursive name servers ASAP.

The detailed announcement, which was scheduled for August 7th, has
been made in advance (by accident or by desire for fame):


As a result, every cracker on the planet now knows how to write an
exploit. So, we can expect actual uses of the vulnerability at any
moment. And it is a serious one.

> For BIND users (do note that several vendors who ship BIND already
> have the upgraded version, for instance Debian and Gentoo):
> http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php
> For Microsoft users:
> http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
> For Cisco users:
> http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml

Patching is therefore now URGENT. According to this survey:


many big ISP in the USA are STILL vulnerable (I do not know if someone
performed the same survey in Africa but I suspect it will not be much

Only one message: if not patched yet, PATCH NOW.

To test if the resolver is relatively secure, the best Web tool is:


and the best command-line tool is dig :-)

dig @X.Y.Z.T +short porttest.dns-oarc.net TXT

(See https://www.dns-oarc.net/oarc/services/porttest)

More information about the afnog mailing list