ISC has released a new version of BIND 8, which fixes a vulnerability allowing malicious people to poison the DNS cache.
The problem is that negative answers may be cached from the wrong source. This can be exploited to cause a "Denial of Service" against certain domains, because BIND will read the wrongly cached negative answer instead of querying the right source.
Solution: A DNS cache should only be accessible from specified IP addresses. A proper firewall filter will limit the possibilities of sending spoofed or fake answers to the DNS cache.
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org