Here is how to fix your nameserver - was Re: BIND update?
Ted Mittelstaedt
tedm at ipinc.net
Wed Jul 9 18:46:10 UTC 2008
Hi All,
OK, slight addition to this:
> -----Original Message-----
> From: Ted Mittelstaedt [mailto:tedm at ipinc.net]
> Sent: Wednesday, July 09, 2008 10:59 AM
> To: 'freebsd-security at freebsd.org'
> Subject: Here is how to fix your nameserver - was Re: BIND update?
>
>
>
>
> System: FreeBSD 6.3-RELEASE used as a nameserver
>
> Login and su to root
>
> cd /usr/ports/distfiles
>
> mkdir manual-build
>
> cd manual-build
>
> fetch http://ftp.isc.org/isc/bind9/9.3.5-P1/bind-9.3.5-P1.tar.gz
>
> gunzip bind-9.3.5-P1.tar
>
> tar xf bind-9.3.5-P1.tar
>
> cd bind-9.3.5-P1
>
> ./configure --disable-openssl-version-check (NOTE: The
> OpenSSL included with FreeBSD 6.3-RELEASE is vulnerable to 4
> security notifications, you should have patched it already)
>
> make
>
> rndc stop
>
> cd ./bin/named
>
> chmod u-w named
>
> mv /usr/sbin/named /usr/sbin/named.original
>
> mv named /usr/sbin/named
>
> cd ..
>
> cd rndc
>
> mv /usr/sbin/rndc /usr/sbin/rndc.original
> mv rndc /usr/sbin/rndc
>
cd /var/named/etc
cp /var/named/etc/namedb/rndc.key .
> /usr/sbin/named -4 -c /etc/namedb/named.conf -t /var/named -u root
>
> tail /var/log/messages
>
> make sure messages has:
> starting BIND 9.3.5-P1 -4 -c /etc/namedb/named.conf -t
> /var/named -u root in it
>
> nslookup www.freebsd.org
> (tests)
>
> your done!
>
> named and rndc are both compiled with static libraries:
> liblwres.a libdns.a libbind9.a libisccfg.a libisccc.a libisc.a
>
> so there is no need to go replacing all of the resolver
> libraries and recompiling all the applications. The bug DOES
> NOT affect client applications that use the resolver libraries.
>
> This will get you going until FBSD 6.4 is out.
>
>
> Ted Mittelstaedt
> Author: The FreeBSD Corporate Networker's Guide
>
>
More information about the freebsd-security
mailing list