Has Apple really fixed its BIND?

Stephen Withers
Monday, 04 August 2008 12:49

Opinion and Analysis

The point appears to be that Mac OS X client does not normally use its own BIND, but instead relies on an external DNS server, typically provided within the organisation (company, school, etc, if it runs its own servers) or by the ISP providing Internet connectivity. So if BIND normally isn't active on non-server Macs, then whatever Franzen and Storms were testing probably wasn't BIND.

That leaves the question of whether Mac OS X client does any caching of domain name/IP address pairs, and if it does, whether or not is is potentially vulnerable to cache poisoning in the same way as other DNS implementations.

The underlying issue was discovered in February, but not publicly disclosed until early July when several major vendors including Microsoft and Cisco released updates for their DNS software.

Knowing that DNS servers were using consecutive port numbers for requests provided attackers with a chance to add false entries to a server's cache of domain name to IP address mappings, which could cause the diversion of Internet traffic to malicious sites.

There have been documented cases of attacks on commercially run DNS servers. One of them redirected Google traffic to a fake site.

Although a more rapid response from Apple would have been to the benefit of its server customers, your scribe is firmly in the Alfred E Neumann camp: "what, me worry?" If my ISP hadn't patched its DNS servers (it has, as best I can tell), there's nothing I could do about it. But once a security fix is available, shouldn't it be rolled out to customers as soon as possible?