1. 29

  2. 8

    …their dependence on the BIND nameserver daemon…

    I’m tinged reading this: Back in 1998, I had recently taken over a small ISP connected to MAE-East, and was in the process of moving everything off of BIND and Sendmail: The old custodians had been fighting with daily hacks, spammers, bouncers, and had given up. SSH and switched networks still weren’t popular. tcpdump was released later this year. IPv6 was essential or we were going to run out of IP addresses within the year. And so on.

    I had a weird problem: my DNS caches keep learning the wrong names for things. Sometimes for my own domain names. The BIND group was worthless, telling me what I was seeing was impossible. Like everything would be fine, but then yahoo.com (not my domain) would suddenly point someplace random. I restart BIND and everything is okay for a bit. I had a script probe my cache every few minutes to wait for it and kill BIND. It had to kill BIND every few minutes! I had a big zone file, BIND took a long time to start up. This wasn’t great.

    I remember seeing one BIND leader flame someone “too stupid” to apply patches to their operating system to get unpredictable TCP sequence numbers – dealing with someone who was getting their zone transfers interfered with, and suddenly I realised what was going on: Those assholes had separated their concerns. There wasn’t a bug because programmers had defined bug as something they needed to fix, instead of something that wasn’t working the way an ordinary person would expect.

    This is one of the first times that I began to realise the mere avoiding of “layer violations” will hide bugs, so layers needed to go. Knowing where the problem was meant a couple days of inserting memcmp+yahoo and printf everywhere helped me find out what was going on and get a fix in (hint: BIND didn’t randomise the source port numbers at this time).

    1. 1

      That’s really interesting, do you have more information about the BIND issue?

      1. 1

        Well, here’s a good place to start. Look at the year. 2008. December. Saves the Internet.

        Now look at this. 2001. July.

        Same bug.

        And it was the same bug I was running into in 1998. And not just me.

        Go further back, you’ll find cache poisoning is actually a very old problem.

        Maybe you would wonder how these could all be the same thing? Maybe you could wonder how could a bug survive in popular software so long being actively exploited?

        But back in 1997, it was difficult to get all of this information together in one-place, and the mailing lists where a lot of DNS-related information (attacks that were going on, etc) were heavily moderated by people who… well, let’s just say it was an open secret that you could impugn BIND all you want: nobody will ever see it.