BIND 9.3 and malwaredomains.com
I have been using a DNS blacklist from http://www.malwaredomains.com with BIND 9.3.x to redirect spyware communication to an internal honeypot machine. I got an alert this morning that the system was no longer responding to DNS requests. When I tried to manually start named, I found that I was getting an error due to an underscore in one of the entries in the blacklist.
Depending on where you get your information, underscores are either completely not-RFC compliant, or a normal and accepted part of DNS. What I didn’t understand was why I wasn’t one of half a million users of malwaredomains.com running into this same situation? If underscores are bad, malwaredomains.com should have gotten quite a few complaints before I jumped in. If underscores are ok, why is my BIND falling over when it finds one?
It turns out that prior to 9.3, even though there is a configuration option to check domain names for validity, BIND either didn’t check the names or checked in a different way that didn’t choke on underscores. Now in version 9.3, the checking has been turned on/expanded and it isn’t very happy when it finds that nasty underscore.
This is too bad, because anyone running a BIND server in an Active Directory environment will tell you that there are some DNS records with underscores in the names that are pretty important to the proper functioning of AD. I have a feeling this will be biting a lot of people migrating from older versions of BIND.
Whether or not underscores are ok, I needed to get my server running again. I got named up temporarily by deleting the offending record, but that wasn’t a permanent solution. One of my scripts would be downloading a new copy of the list at midnight. The record in question was a legitimately bad host that could be successfully resolved by a client, so I decided against modifying my script to parse the blacklist post-download and filter out any records containing an underscore. Instead, I did some research and then added the following two lines to the “options” section of my named.conf:
check-names master ignore; check-names response ignore;
Restart named and poof! everything’s happy again.
UPDATE (10/01/10): After some correspondence between myself and the maintainer, malwaredomains.com has started adding the “check-names ignore;” on each line of their file that contains an underscore. Sweet!