Just a note that more vulnerabilities have been discovered that will require another round of patching. Infoblox have released a new version of NIOS to address these and other vendors are publishing patches as I write this. The CVE’s are summarised below: CVE–2016–2088: A response containing multiple DNS cookies causes servers with cookie support enabled […]
CVE-2016-1285, CVE-2016-1286 and CVE-2016-2088 vulnerabilities
CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
It’s been a torrid few months for BIND with various vulnerabilities and fixes published. This demonstrates the need to implement a robust patching schedule and it may make sense to reserve slots in your change control process to enable systems, like DNS servers, to be kept up to date with the latest security fixes. However […]
An update on recent DNS & DHCP vulnerabilities
There have been several DNS and DHCP vulnerabilities published recently. All the main DDI vendors have now released patches as far as we can tell. Two BIND vulnerabilities in particular are serious enough to justify patching your systems. For Infoblox customers, this means an upgrade to NIOS 7.2.5, this will address the following vulnerabilities: CVE-2015-8704: A […]
Understanding Infoblox/ISC DHCP and “abandoned” leases
I have had several discussions lately relating to the recycling of abandoned leases in Infoblox DHCP (which is based upon ISC dhcpd). There seems to be a common misunderstanding about how the process works. To recap, an abandoned lease occurs when the DHCP server encounters one of the following situations: A client is attempting to […]
Using Infoblox DHCP failover
Infoblox DHCP is based upon ISC DHCP with a few tweaks here and there. The DHCP failover mechanism that it employs started as a relatively simple 14 page IETF draft proposal (available here) that was implemented in Alcatel-Lucent/Nokia VitalQIP (then Quadritek, the authors of the draft). Over a period of time, the draft was reviewed, revised […]
Configuring Google SafeSearch with Infoblox DNS Firewall
We recently did some work for a county council who wanted to enable Google SafeSearch for all the schools under their jurisdiction. Initially they were trying to use internal versions of google.com and google.co.uk with a CNAME record for www that redirected to forcesafesearch.google.com, but this is not an ideal solution for various reasons: Other “google.com” […]
CVE-2015-5477: Sorry, you will need to patch if you’re running BIND!
We don’t normally get too involved with discussing or publishing details about bugs and patches for BIND, however due to the severity of CVE-2015-5477, it has prompted a couple of customers to email me directly who I think just wanted a second opinion. Basically, yes, you do have to patch BIND! Unfortunately, the news from […]
Should a DNS Firewall be part of your defence-in-depth strategy?
There has been a slew of DNS Firewall related market activity recently that makes me wonder if DNS Firewall related products/solutions are finally gaining market acceptance. OpenDNS is probably one of the most well known DNS Firewall vendors, operating a global network of recursive servers that anyone can use for free, but with the option […]
Is DANE DNSSEC’s killer app?
DANE has been around for a few years now but still seems to be a bit of an underground topic. It hardly ever crops up in conversations I have with prospects and the fact it is reliant on DNSSEC, which takes a serious commitment to implement, makes me wonder if this is just another good […]
Options for refreshing your Infoblox kit
As part of a continuous improvement process, Infoblox replace older appliances with new models which are designed to handle increasing demands on your network. It’s important to note that if you are running older Infoblox hardware (so-called “-A” appliances), it will be reaching end-of-life (EOL) on December 31, 2015. After that date, Infoblox will no […]