Critical DNS security flaw found

A nasty bug has been found in the software that translates Internet computer names (hostnames) into numerical addresses that computers on a network can use (IP addresses). This is known as DNS software, which stands for Domain Name System.

When you navigate to in your web browser, your machine's DNS software contacts a DNS server - an authoritative machine somewhere on the Internet that knows how to translate the name into an IP address ( Every computer connected to the Internet uses DNS.

This particular flaw was discovered simultaneously by Google and Redhat. The technical details can be found here (from Google), and in even more detail here. Basically, the DNS software that looks up hostnames can't cope with very long replies. It causes what's called a "buffer overflow" - memory gets corrupted. If an attacker can arrange for it to be corrupted in precisely the right (well, wrong) way, they may be able to take over the machine.

This is important because DNS is used everywhere, by everyone. The bug itself is only in a Linux program, so most machines (eg Windows and Apple) aren't directly affected. But much of the Internet's infrastructure runs on Linux, and so many of the most important machines on the Internet might be vulnerable. It is also worth noting that this bug has been around for 8 years, even though it was only recently discovered.

A fix is already available, but patching all vulnerable machines will take a long time - possibly months or even years. The last serious DNS flaw took 10 years to fix! Let's hope this one won't take as long - the consequences could be serious.

Posted by John Faulds in