Common Vulnerabilities and Exposures assigned an identifier CVE-2006-0987 to the following vulnerability: The default configuration of ISC BIND, when configured as a caching name server, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses. References: [1] http://www.securityfocus.com/archive/1/archive/1/426368/100/0/threaded [2] http://dns.measurement-factory.com/surveys/sum1.html [3] http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf [4] http://marc.theaimsgroup.com/?t=114184133900001 [5] http://isotf.org/news/DNS-Amplification-Attacks.pdf
As noted in referenced DNS Amplification Attacks PDF article [5], a recursive name server should only accept queries from a local or authorized clients not to be vulnerable to the distributed denial of service (traffic amplification / Smurf) attack. In the default configuration the named service, as shipped within bind package with Red Hat Enterprise Linux 5 and 6, listens only for DNS queries from localhost. Relevant named.conf configuration file settings being: named.conf: .. allow-query { localhost; }; .. Therefore as such (in the default configuration) it is NOT vulnerable to the CVE-2006-0987 flaw.
This is issue is inherited from DNS design and cannot be fixed on DNS protocol level. However there is a "rate-limiting" patch for BIND which effectively prevents amplification attacks. It is available on http://www.redbarn.org/dns/ratelimits We can consider to backport the patch.
(In reply to comment #2) > This is issue is inherited from DNS design and cannot be fixed on DNS > protocol level. However there is a "rate-limiting" patch for BIND which > effectively prevents amplification attacks. It is available on > http://www.redbarn.org/dns/ratelimits > > We can consider to backport the patch. Thank you for the suggestion, Adam. The request for backport the security hardening patch for non-default bind configurations is tracked now under bug #873624.
This issue did NOT affect the versions of the bind package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue did NOT affect the version of the bind97 package, as shipped with Red Hat Enterprise Linux 5. -- This issue did NOT affect the versions of the bind package, as shipped with Fedora 16 and Fedora 17.
Statement: Not vulnerable. This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 5 and 6 and version of bind97 as shipped with Red Hat Enterprise Linux 5 as in the default configuration the named service accept DNS queries only from localhost.