Apple in a bind over its DNS patch?

Updated 2:50 p.m. PDT with comments from security researcher Rich Mogull.

Three weeks after the disclosure of a serious flaw within the Domain Name System (DNS), Apple has yet to patch its MAC OS X operating system, but the company may be able to look to a third party in defense.

In a posting to an Internet newsgroup on Monday, Paul Vixie of the Internet Systems Consortium (ISC) acknowledged that the Berkeley Internet Name Domain (BIND) DNS Server's recent -P1 releases may be unstable for some users. The BIND DNS Server is used on the vast majority of name serving machines on the Internet and provides an openly redistributable reference implementation of the major components of the Domain Name System.

Vixie, one of the researchers briefed in advance of the DNS flaw disclosure by Dan Kaminsky, said that once ISC learned of the problem, it began work immediately on a patch.

However, "during the development cycle we became aware of a potential performance issue on high-traffic recursive servers, defined as those seeing a query volume of greater than 10,000/queries per second. Given the limited time frame and associated risks we chose to finish the patches ASAP and accelerate our work on the next point releases that would address the high-volume server performance concerns."

Vixie underscored that having the DNS patch was more important than worrying about slow server problems. He said that ISC will be releasing versions of 9.3.5-P2, 9.4.2-P2, and 9.5.0-P2 at the end of this week.

Separately, security researcher Rich Mogull of Securosis.com echoed that having a DNS patch was better than not having one.

In a blog last week co-authored with Glenn Fleishman, Mogull commented on Apple's lack of a patch. He wrote: "Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."

In an e-mail to CNET News, Mogull said "Apple may be stuck between a rock and a hard place on this one, but they've chosen the worst possible option--remaining silent."

He went on to say that we don't know how the BIND instability affects the Mac OS X Server.

"If it were unstable, my recommendation would be to make a preliminary patch available that those using it as a recursive DNS server can apply. With an active exploit, no patch at all is not a viable option and places customers at high risk. Let the customers make their own risk decision."

Mogull suggests that those savvy with compiling code could still install their own version of 9.5.0-P1 to a Mac OS X Server or "reconfigure those servers to forward DNS requests to alternative platforms, such as BIND on Linux or Unix, or Microsoft servers, until Apple issues a patch."

Current attacks in the wild only affect DNS caching on Web servers, said Mogull in his blog, so desktop MAC OS X users need not be concerned just yet.

Apple had no comment to a request from CNET News regarding the status of a Mac OS X DNS patch.

[Vegaman_Dan]

Give them time. Apple is notoriously slow in releasing any patch for vulnerabilities. This isn't anything different this time. They will get it addressed eventually. It's not a critical issue at this time.

"Apple had no comment to a request from CNET News regarding the status of a Mac OS X DNS patch.
"

Now that's the funny part of the story. Of course they won't have a comment. It's *APPLE*, they don't comment on anything. Requesting information is pointless.

[Dalkorian]

Actually, rumor has it that attack code exploiting this is out there now (Kaminsky himself posted something to the effect of "Patch. Today. Now. Yes, stay late."). I don't think we've seen any attacks yet, but it could be as short as days (maybe hours?) away. I would argue it IS a critical issue at this time. The servers need to be patched before the criminals exploit the vulnerability, otherwise all kinds of havoc is possible. The most troubling part of this is the fact that you can fix your DNS servers, but if your ISP neglects to do the same you can still be a victim of this. Like the idea of your customers being redirected to some server in Russia because someone else didn't fix their Bind servers?

There are two ways I'm aware of to check if the DNS servers you're using are vulnerable. Kaminsky has a test on his website, http://www.doxpara.com/. The other option is to either visit https://www.dns-oarc.net/oarc/services/porttest or use the DIG tool that comes with BIND to send the following query:
dig@yourdns +short porttest.dns-oarc.net TXT.

Note that if you are running purely authoritative servers (no recursion) then I *THINK* your safe.

[Dalkorian]

I posted just yesterday that attacks are days if not hours away. Guess what article I ran into this morning?

http://www.macworld.com/article/134758/2008/07/dnsattack.html?lsrc=rss_main

Looks like it's started already, just hours after my post. Notice as I pointed out that the "victim" here wasn't the one that was "attacked", it was his ISP.

It *IS* a critical issue. Patch now. I did. One machine is an AIX box, the other is running OSX 10.4. It's possible to patch without Apple's help (harder, but definitely possible - and worthwhile!).

[Dalkorian]

Yes, Apple should release an update for their Bind distro. Now. Today. No, you should NOT forward to some winblows machine (winblows doesn't play nice with true Bind, as usual, M$ bastardized it and called it ActiveDirectory but should have just named it ADHD instead). Yes, it's easy to just go get the source for Bind and build it yourself (configure, make, make install; read over the configure options to build it to install where you want it, like over Apple's vulnerable version of Bind). Yes, you NEED to do something about this (either build the patched version or forward to something secure - *nix boxes or OpenDNS). Now. Today. Stay late, put in the overtime.

Disclaimer: I believe that if you're not running a recursive server you're safe, but I'm not absolutely sure about that. It is a cache poisoning attack, which is obviously easier when a zone is fetched from other DNS servers than it is when you're authoritative for the zone and have a zone file to reference. Notice this disclaimer only applies to servers, clients are hosed until everyone is scared into fixing their DNS servers. That's why this is so important, you can fix your DNS server but if JoeBloeFishAndTackleAndInternetServiceProvider doesn't fix *HIS* server, you and/or your customers/clients can get a poisoned record from *HIM* that redirects people to the wrong sites.

[Thomas, David]

"DNS Patches cause problems ..."
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111001&intsrc=hm_list

Seems to me, that if this is what happened at Apple, they truly were/are between a rock, and a hard place.

[Dalkorian]

Most of the BIND issues are performance related (particularly with the 9.4.X branch, I've seen other stability issues discussed on the BIND mailing list about the 9.5.X branch though). The choice is simple, a slower DNS server or an insecure one. I know which choice I'd make (in fact I already made it, updating my internal DNS servers at work to 9.4.2-P1; one is an AIX box and the other is a Mac Mini running 10.4.11).

The M$ issues can basically be ignored because M$ doesn't use BIND, they have (as usual) their own bastardized version (AD, which should stand for Attention Deficit ...) designed not to play nice with anyone else.

OSX on the other hand uses standard BIND (admittedly with a non-standard proprietary GUI) and therefore SHOULD update now. Attacks are already happening!

http://www.macworld.com/article/134758/2008/07/dnsattack.html?lsrc=rss_main

[mathue_tax]

The researchers could care less about reliability only that we're supposedly 'safe'. So, unsafe but reliable, or safe and unreliable. And to top it off these vulnerabilities would likely have never been found in the wild. Uh, Blackhats, you need to work on your public image guys. I have a vulnerably. If I shoot an arrow at a tire you could loose control of your car and crash. Therefor we must put plate armor on the side of cars to protect the tires.

[bstern2]

you have to keep in mind Open Directory and Kerberos subsystems rely on DNS and/or FDQN to resolve queries and that DNS perfomance issues that show in P1 will hit Mac os X Server VERY hard , Apple probably tested the performance during validation in lab and decided to wait on Patch 2 when the problem will be addressed .

Port randomization is nice but that won't help on high volume resolving some parts of os X Server rely on for subsystem services. Of course forwarding to Open DNS fixes the exposure issue. Tiger Server 10.4.x is not concerned if it uses NetInfo since Netinfo is not bind dependant at all but this will break partly the GUI Apple ships mac os X Server with.

Safe but underperforming does not cut it in this case.

[Dalkorian]

So you would rather good performance without safety? Attacks have started already, you know ...

http://www.macworld.com/article/134758/2008/07/dnsattack.html?lsrc=rss_main

[kelmon]

Agreed - Apple's silence on the issue is the worst part of this. Communication with your customers, particularly if they are worried, is very important.

[Vegaman_Dan]

Ask yourself, how many OS X servers out are there really out there that are handling DNS requests? When compared to the *nix, Cisco, and Windows servers out there that are already patched? This really is an obscure exposure to worry about. Yes, it should be fixed as soon as they can, but it's not like there's a lot of them out there in the first place in positions to be vulnerable. Apple can afford to wait.

[fdunn3]

All it takes is one server to poison many.

[Dalkorian]

http://www.macworld.com/article/134758/2008/07/dnsattack.html?lsrc=rss_main

No, they can't afford to wait. It's already begun.

[ittesi259]

The annoying part here is that most consumers won't understand this is a problem for Mac servers and if you aren't going through one then this isn't an issue. I don't, so all I say is I hope my ISP patched.

[Dalkorian]

You don't have to hope. You can test it yourself! Two sites you should check out ...

Kaminsky's own DNS tester: http://www.doxpara.com/

DNS-OARC's DNS tester: https://www.dns-oarc.net/oarc/services/porttest