DNS hostname exceeding maximum length

dns-host-ovf (636) The risk level is classified as HighHigh Risk

Description:

DNS responses for hostnames should not exceed a certain fixed length. A domain name exceeding the maximum length of 255 octets could indicate one of the following events:

  • a zone file error
  • incorrectly entered hostnames in nslookup queries
  • an attempt by an attacker to manipulate the DNS server

When Microsoft DNS Server encounters a resource record with a domain name exceeding the maximum length of 255 octets, the resource record is ignored by the DNS server.

Versions 4.x and earlier of BIND (Berkeley Internet Name Domain, a DNS server available for most versions of Unix) do not validate the maximum domain name length of 255 octets. Hostnames longer than this length can be returned to client programs performing DNS lookups. Client programs that do not check the length of the hostnames returned may overflow internal buffers when copying this hostname, allowing a remote attacker to gain root access or execute arbitrary commands on a targeted client computer.


Consequences:

Gain Access

Remedy:

Investigate the source of the invalid domain name. Ensure that the master DNS server is using the correct zone file. Correct any errors in the DNS zone file, such as bad DNS resource records, that are reported in the DNS error log. Ensure that security permissions are configured so that only the intended security principals have access.

— AND —

If you are using a version of BIND earlier than 4.x, upgrade to the latest version of BIND (8.2.2 patchlevel 5 or later), available from the BIND Web site. See References.

References:

Platforms Affected:

  • DNS DNS
  • ISC BIND 4
  • ISC BIND 4.9
  • ISC BIND 4.9.10
  • ISC BIND 4.9.2
  • ISC BIND 4.9.3
  • ISC BIND 4.9.4
  • ISC BIND 4.9.5
  • ISC BIND 4.9.5 P1
  • ISC BIND 4.9.6
  • ISC BIND 4.9.7
  • ISC BIND 4.9.8
  • ISC BIND 4.9.9
  • Microsoft Windows 2000
  • Microsoft Windows NT 4.0
  • Various vendors Any application

Reported:

Not available

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page