Home > Tech > BIND 9.3 and malwaredomains.com

BIND 9.3 and malwaredomains.com

I have been using a DNS blacklist from http://www.malwaredomains.com with BIND 9.3.x to redirect spyware communication to an internal honeypot machine. I got an alert this morning that the system was no longer responding to DNS requests. When I tried to manually start named, I found that I was getting an error due to an underscore in one of the entries in the blacklist.

Depending on where you get your information, underscores are either completely not-RFC compliant, or a normal and accepted part of DNS. What I didn’t understand was why I wasn’t one of half a million users of malwaredomains.com running into this same situation? If underscores are bad, malwaredomains.com should have gotten quite a few complaints before I jumped in. If underscores are ok, why is my BIND falling over when it finds one?

It turns out that prior to 9.3, even though there is a configuration option to check domain names for validity, BIND either didn’t check the names or checked in a different way that didn’t choke on underscores. Now in version 9.3, the checking has been turned on/expanded and it isn’t very happy when it finds that nasty underscore.

This is too bad, because anyone running a BIND server in an Active Directory environment will tell you that there are some DNS records with underscores in the names that are pretty important to the proper functioning of AD. I have a feeling this will be biting a lot of people migrating from older versions of BIND.

Whether or not underscores are ok, I needed to get my server running again. I got named up temporarily by deleting the offending record, but that wasn’t a permanent solution. One of my scripts would be downloading a new copy of the list at midnight. The record in question was a legitimately bad host that could be successfully resolved by a client, so I decided against modifying my script to parse the blacklist post-download and filter out any records containing an underscore. Instead, I did some research and then added the following two lines to the “options” section of my named.conf:

check-names master ignore;
check-names response ignore;

Restart named and poof! everything’s happy again.

UPDATE (10/01/10): After some correspondence between myself and the maintainer, malwaredomains.com has started adding the “check-names ignore;” on each line of their file that contains an underscore. Sweet!

  1. Dan L.
    January 27, 2012 at 3:08 PM

    I too have just experienced the same issue performing the same task. However, our version of BIND (9.3.6) on RedHAt does not tank when trying to process the zone file containing underscored names, it simply reports error in syslog “blah..blah…[bad name]”. It still loads the rest of the domains that are compliant and continues to function fine.

    Anyways, thanks for your article, it helped me to see someone else had the exact same experience.

    • February 2, 2012 at 1:34 PM

      It’s always reassuring to know you aren’t the only one seeing strange things!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: