With all the recent attention on the DNS exploit and the delay in response by Apple for providing a response, I thought I would undertake a deeper review some of our dns systems. We were already protected from the exploit as we do not provide recursive service with any of our unpatched dns servers.
Turns out that not only has Apple not patched the BIND install as of July 29, they haven’t really kept up with the installed config files, specifically the root servers hints file (/var/named/named.ca)
DNS is a distributed system, but a DNS resolver has to be given a place to start in it’s search for your name resolution request. That’s what the 13* root servers are about. They are the top of the tree so to speak. They are strategically placed around the world and load balanced and are THE critical part of the Internet infrastructure.
The hints file is populated with names/IP addresses of the 13 root servers preset like so:
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
this goes on down from A to M
Occasionally, an IP address of one of the root server will change. There have been two updates in the past 4 years: B and L
Old
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
New:
; updated Jan 29, 2004
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
; updated Nov, 1, 2007
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.4
In Tiger Server, both B and L are out of date even with all updates and security patches applied
Leopard Server (up to 10.5.4) still shows the L root server out of date.
Update your /var/named/named.ca with the new entries preferably with this file:
ftp://rs.internic.net/domain/named.root
then stop/start the named process
The hints file from internic will also include IPv6 information.
The guys at Renesys wrote a good article about the potential dangers of not querying the correct root servers.
Links:
http://www.root-servers.org/
* – The count is 13 and 13 being the count because that’s the maximum amount of dns records that can be crammed into a single IP packet response.