2017-06-30 - News - Tony Finch
In case you have not already seen it, last night ISC.org announced a serious vulnerability in BIND: if you have a server which allows dynamic DNS UPDATE then a remote attacker may me able to alter your zones without proper authentication. For more details see:
Note that update-policy local; uses a well-known TSIG key name, and does
not include any IP address ACL restrictions, so it is extremely vulnerable
to attack. To mitigate this you can replace update-policy local; with
allow-update { !{ !localhost; any; }; key local-ddns; };
This denies updates that come from everywhere except localhost, and then
allows updates with the built-in local-ddns key. For a longer explanation, see
https://kb.isc.org/article/AA-00723/0/Using-Access-Control-Lists-ACLs-with-both-addresses-and-keys.html
You can still use nsupdate -l with this configuration.
Our master DNS server has very strict packet filters which should be effective at mitigating this vulnerability until I can update the servers.