Here is how to fix your nameserver - was Re: BIND update?
Ted Mittelstaedt
tedm at ipinc.net
Wed Jul 9 18:22:17 UTC 2008
Hi All,
First, knock off the goddam posturing.
Second, named is statically linked, so there
is NO BIG FRAGGING DEAL with upgrading your nameserver.
Here is how you do it:
System: FreeBSD 6.3-RELEASE used as a nameserver
Login and su to root
cd /usr/ports/distfiles
mkdir manual-build
cd manual-build
fetch http://ftp.isc.org/isc/bind9/9.3.5-P1/bind-9.3.5-P1.tar.gz
gunzip bind-9.3.5-P1.tar
tar xf bind-9.3.5-P1.tar
cd bind-9.3.5-P1
./configure --disable-openssl-version-check (NOTE: The OpenSSL included
with
FreeBSD 6.3-RELEASE is vulnerable to 4 security notifications, you should
have patched it already)
make
rndc stop
cd ./bin/named
chmod u-w named
mv /usr/sbin/named /usr/sbin/named.original
mv named /usr/sbin/named
cd ..
cd rndc
mv /usr/sbin/rndc /usr/sbin/rndc.original
mv rndc /usr/sbin/rndc
/usr/sbin/named -4 -c /etc/namedb/named.conf -t /var/named -u root
tail /var/log/messages
make sure messages has:
starting BIND 9.3.5-P1 -4 -c /etc/namedb/named.conf -t /var/named -u root
in it
nslookup www.freebsd.org
(tests)
your done!
named and rndc are both compiled with static libraries:
liblwres.a
libdns.a
libbind9.a
libisccfg.a
libisccc.a
libisc.a
so there is no need to go replacing all of the resolver libraries and
recompiling
all the applications. The bug DOES NOT affect client applications that use
the resolver libraries.
This will get you going until FBSD 6.4 is out.
Ted Mittelstaedt
Author: The FreeBSD Corporate Networker's Guide
More information about the freebsd-security
mailing list