Lawrence "The Dreamer" Chen's Blog

Link: http://www.kb.cert.org/vuls/id/800113

This has been a hot topic lately....which I first became aware of when an urgent ticket was assigned to me on Tuesday to upgrade all the campus DNS servers to a 'safe' version of bind.

During the winter break I had updated the campus caching DNS servers to 9.4.2, but the primary/secondary DNS servers were left running 9.3.4.

The 'safe' versions were 9.3.5-P1, 9.4.2-P1 or 9.5.0-P1.

The main campus caching servers had been running 9.2.3...so they were more pressing to upgrade to 9.4.2. During the break, the data center caching DNS server died...which created a good time to build the latest 9.4.2 version and later I upgraded (and make consistent) all the caching servers to this version.

In response to the urgent ticket, I got all the caching servers to 9.4.2-P1. And, this afternoon I got the primary and secondary DNS servers upgraded to match. I also discovered that the secondary DNS server had inadvertently been acting as a caching server to the whole world. After I turned it off, there were lots of log messages of comcast addresses being denied cache queries....and it was for a variety of well known sites, including youtube, paypal, google. At first it was Michigan comcast, but later I saw numerous other states, such as FL, GA, CO....

Meanwhile...I had started looking at getting the new bind package onto my Linux servers. These servers are well past EOL. So, I knew I was on my own to get things work.

Anyways....I was able to get bind-9.4.2-P1 to build and eventually run on both my RedHat 7.3 server and my SuSE 9.3 server.

Guess I need to update my ubuntu (8.04 server) from its desktop....