[MaraDNS list] MaraDNS 1.4.08 and MaraDNS 1.3.07.12 released
Nicholas Bamber
nicholas at periapt.co.uk
Fri Dec 30 14:13:26 EST 2011
Sam,
Thanks for staying on top of security. I notice that the online
changelog has not been updated.
On 29/12/11 19:35, Sam Trenholme wrote:
> One issue with making software is that a responsible programmer takes
> responsibility for his mistakes. Even if the mistakes were made years
> ago. MaraDNS is a lot of code dating back to 2001; even though a good
> deal of the code has been completely rewritten, I still take
> responsibility for code I wrote in 2001 and 2002.
>
> I very strongly encourage people still using MaraDNS 1.x's recursive
> code to upgrade to MaraDNS 2, and use Deadwood to process recursive
> queries. I have completely rewritten the code from the ground up --
> Deadwood shares no code whatsoever with MaraDNS -- and did a better
> job of it the second time around.
>
> The new Deadwood recursive resolver, for example, has been using
> randomized hashes since 2007, and today's hash randomization attack
> making the rounds has never affected Deadwood. The older MaraDNS 1.x
> recursive code, however, did not use a randomized hash. While people
> really should be using Deadwood for recursive queries, I have released
> MaraDNS 1.4.08 and MaraDNS 1.3.07.12 with an updated randomized hash.
>
> For anyone who is still using MaraDNS 1, it is important to upgrade to
> this version in order so that hashes are randomized and not vulnerable
> to hash collision denial of service attacks. Or better yet, upgrade
> to MaraDNS 2.
>
> Note that a randomized hash needs a source of entropy; that in mind,
> the *NIX version of MaraDNS 1.4.08/1.3.07.12 requires /dev/urandom and
> the Windows version of MaraDNS needs "secret.txt" in the same
> directory as "maradns.exe". People running MaraDNS 1 on *NIX systems
> without /dev/urandom are on their own -- I do not support MaraDNS on
> anything besides CentOS, Scientific Linux, and Windows.
>
> Note that this security bug only affects you if:
>
> 1) You are using MaraDNS 1, *not* MaraDNS 2
>
> 2) recursive_acl is set in MaraDNS 1
>
> 3) Untrusted potential attackers can perform recursive queries with MaraDNS 1.
>
> For example, if using MaraDNS 1 as described in
> http://samiam.org/blog/20111128.html, one is safe as long as one's
> mararc file recursive_acl line looks like this:
>
> recursive_acl = "127.0.0.1/8"
>
> The tarballs files can be found here:
>
> http://maradns.org/download/1.3
>
> http://maradns.org/download/1.4 (also has Windows binary)
>
> The patch is here:
>
> http://maradns.org/download/patches/maradns-1.3-secret_hash.patch
>
> - Sam
--
Nicholas Bamber | http://www.periapt.co.uk/
PGP key 3BFFE73C from pgp.mit.edu
More information about the list
mailing list