A flaw was found in the way "nxdomain-redirect" feature was implemented in bind. An attacker could use this flaw on a server with a vulnerable configuration to cause bind to exit, denying service to other clients.
DescriptionHuzaifa S. Sidhpurwala
2019-04-24 06:03:32 UTC
As per upstream advisory:
A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally.
The most likely scenario where this might occur is if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible.
An attacker who can deliberately trigger the condition on a server with a vulnerable configuration can cause BIND to exit, denying service to other clients.
Comment 1Huzaifa S. Sidhpurwala
2019-04-24 06:03:34 UTC
Acknowledgments:
Name: ISC
Comment 2Huzaifa S. Sidhpurwala
2019-04-24 06:37:21 UTC
Statement:
The most common bind configuration which is affected by this flaw is, if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible.
Comment 3Huzaifa S. Sidhpurwala
2019-04-24 06:37:23 UTC
Mitigation:
Exploitation of this defect can be effectively prevented by disabling the nxdomain-redirect feature in the nameserver's configuration.
Comment 4Huzaifa S. Sidhpurwala
2019-04-24 06:41:23 UTC