DNS64 is a mechanism for synthesizing AAAA records from A records. It’s traditionally used to allow IPv6-only clients to receive IPv6 addresses proxied to IPv4 addresses. The RPZ mechanism is used by Domain Name System recursive resolvers to allow for the customized handling of the resolution of collections of domain name information.
Versions 9.8.8, 9.9.3-S1, 9.9.3, 9.9.10b1, 9.10.0, and 9.10.5b1, 9.11.0 are all considered vulnerable, according to the ISC.
When servers use both mechanisms simultaneously, a vulnerability (CVE-2017-3135) that stems from query processing could result in an inconsistent state, triggering either an INSIST assertion failure or an attempt to read through a NULL pointer, according to a security advisory published Wednesday.
The INSIST assertion failure could lead to a subsequent abort, ISC said, while the NULL pointer in some instances can lead to a segmentation fault, which causes the process to be terminated.
Depending on what version of BIND users are running, users can apply a patch, either BIND 9 version 9.9.9-P6, BIND 9 version 9.10.4-P6, or BIND 9 version 9.11.0-P3. Users can also remove either DNS64 or RPZ from their configurations as a workaround but the ISC says the safest move is to just update BIND.
Ramesh Damodaran and Aliaksandr Shubnik, engineers at Infoblox, a Silicon Valley firm that does DNS, DHCP and IP management, uncovered the vulnerability and reported it to the ISC. Damodaran previously helped identified an unspecified packet processing remote denial of service vulnerability in BIND 9.
It’s the fifth issue to affect BIND, open source software that helps users publish their DNS information, in 2017. The ISC pushed fixes in January for four other issues, all considered high severity, that could lead to assertion failures