Too lazy to keep up with OpenBSD releases? You can still upgrade BIND

[Justin Krejci]

Here are some simple instructions you can follow to upgrade your OpenBSD DNS
server running a no longer supported version of OpenBSD in case you are
concerned about the recent cache poisoning vulnerability. I cannot vouch for
the reliability of running a newer version of BIND on an older version of
OpenBSD but it appears stable running the 4.3 BIND on a 3.8 system.

Please expect your kernel to send you hate mail, your keyboard keys to pop
out, and your network card to drop every other packet if you follow these
procedures.


Step 1
Determine you really cannot upgrade to a recent version of OpenBSD.

Step 2
Verify your DNS server is vulnerable

dig txt +short porttest.dns-oarc.net @YOUR_SERVER

Look for the response. If it does not say GREAT you are probably vulnerable.

Step 3

mkdir /tmp/4.3
cd /tmp/4.3
wget ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/004_bind.patch
wget ftp://ftp.openbsd.org/pub/OpenBSD/4.3/src.tar.gz
tar zxf src.tar.gz
patch -p0 < 004_bind.patch
cd usr.sbin/bind
make -f Makefile.bsd-wrapper obj
make -f Makefile.bsd-wrapper
sudo make -f Makefile.bsd-wrapper install
sudo kill -TERM `cat /var/run/named.pid`
sudo named -t /var/named


Step 4
Verify you are no longer vulnerable

dig txt +short porttest.dns-oarc.net @YOUR_SERVER

Now this should respond back with "GREAT".

You can visit https://www.dns-oarc.net/ for more info about the testing
procedure.