[dns-operations] CVE 2015-8000 actively exploited yesterday

Robert Edmonds edmonds at mycre.ws
Thu Dec 17 01:49:10 UTC 2015

Jared Mauch wrote:
> You can always take something like dnsdist and stick it in front of a cluster
> of servers, or ask RedHat to package a better init.d/systemd script to respawn
> the daemon.

RHEL 7 is systemd-based (so it doesn't help the original poster, who's
running RHEL 6, which is upstart-based), so this is basically a
one-liner.  You set a "Restart=" value in the [Service] section of the
named.service unit file.  For the full documentation, see

The named.service unit shipped in RHEL 7 (actually CentOS 7.2.1511)
doesn't set Restart=, so the default is "Restart=no".  The Fedora
packagers recommend "Restart=on-failure" or "Restart=on-abnormal" for
long-running daemons:


(Of course, the server still can't answer any queries in the time
between the abort and being restarted by the init system.)

> I generate my config out of a database, so having something output another
> format is fairly painless. Maybe that is PowerDNS or NSD or knot.  Lots of
> people use BIND because it’s considered the ‘reference implementation’ by
> the community.  this is also why when using NTP people use the ntp.org one
> vs chrony, OpenNTPD or something else.  (Me, I recommend chrony).

systemd-timesyncd is also a pretty good SNTP client.  I especially like
how it doesn't leave a UDP port open, except when it's making a request.

> Either way, diversity creates options and building a solution to restart
> the daemon is as easy as:
> #/bin/bash
> while true; do
> 	/usr/sbin/named -f $OTHER_ARGS
> done

Well, if you go down that route, please make sure there's a ! in the
shebang :-)

Robert Edmonds

More information about the dns-operations mailing list