Any Info on how to patch for the new DNS vulnerability?

[chrisroge]

kb.cert.org Vulnerability Note VU#800113

This says to patch DNS among other suggestions. Does VPSLINK have any information that can help us patch our DNS servers for this? I run BIND on my CENTOS server, so I am concerned.

I ran "update server software" from WHM and got the following:
Package bind - 30:9.3.4-6.0.2.P1.el5_2.i386 is already installed.
Package bind-devel - 30:9.3.4-6.0.2.P1.el5_2.i386 is already installed.
Package bind-libs - 30:9.3.4-6.0.2.P1.el5_2.i386 is already installed.
Package bind-utils - 30:9.3.4-6.0.2.P1.el5_2.i386 is already installed

However the BIND site says we should update to the patch within our major revision, this would be for me 9.3.5-P1. How do I update to 9.3.5-P1 w/o breaking something in Cpanel (assuming I need to do this from the command line) - should I just sit tight until Cpanel provides a later package and re-run "update server software" to get it?

[DanL@VPSLink]

The best method for avoiding DNS cache poisoning on your VPS will be to disable recursion (as suggested in the CERT DNS Vulnerability notice).

The Securing an Internet Name Server document on the CERT site contains instructions for BIND.

[Defenestrator]

What are you using your BIND server for? If you're using it for an authoritative server and not for recursion, you should just turn recursion off in the config. The vulnerability is a cache poisoning attack, so it doesn't apply to authoritative nameservers that don't do recursive lookups.

[jkfritcher]

To answer the original question, on CentOS 5, the patches against the exploit were integrated into version 9.3.4-6.0.1. If it says you have 9.3.4-6.0.2 then you are patched. Otherwise the advice about turning off recursion if its not needed is dead on.