With a lot of effort from our staff and clients the vast majority of the DNS servers in our datacenters have been patched for the vulnerability announced three weeks ago. However one major server & operating systems vendor has yet to release a patch, namely Apple. Since Apple uses ISC's BIND as the basis for their DNS under MacOS X and MacOS X Server there is no reason why you can not fix this issue yourself on a Macintosh server. With thanks to one of our clients, as well as an old friend of mine who used to work at Apple, we present to you a series of step-by-step instructions for patching BIND on a MacOS X system. These instructions install the update in a location and manner that will allow you to still install Apple's patch, if/when it is finally released.

The following instructions assume you are working locally ON YOUR SERVER HERE at digital.forest. Most will use Apple's "Apple Remote Desktop" or Netopia's "Timbuktu" for remote management. Advanced users can use SSH connections via a terminal and should understand where these instructions below have been simplified for users of a GUI admin tool. If you are unsure about any of these steps, feel free to contact technical support via telephone or trouble ticket.

Resolving BIND insecurity problems on your OS X box at digital.forest:

Option 1: Turn off DNS service. Seriously -- do you really need it? You can feel free to use our recursive resolvers for your server's DNS needs. They are located at 216.168.32.229 and 64.69.73.100. For your own client machines at home or at your office, use your ISP's DNS servers.

Option 2: Updating Your Own BIND

1) If you do not already have the Apple Developer Tools, join the developer program (http://developer.apple.com/ -- it's free), download and install them.

2) At the BIND site (http://www.isc.org/index.pl?/sw/bind/index.php), download "bind-9.4.2-P1.tar.gz".

3) Open your Terminal application, and type the following commands:

cd ~/Downloads
(NOTE: This assumes the standard Safari download location)
tar -zxf bind-9.4.2-P1.tar.gz
cd bind-9.4.2-P1
sudo su
(NOTE: Type your password when prompted)
./configure --prefix=/usr/local
make
make test
make install
cd /usr/sbin
mv named named.hold
ln -s /usr/local/sbin/named named
sync
sleep 10
reboot

4) When Apple releases its patch, before you install it, launch your Terminal app again and type:

sudo su
(NOTE: Type your password when prompted)
cd /usr/sbin
mv named.hold named
sync
sleep 10
reboot

5) Install the Apple Security Update using Software Update

Hopefully Apple will release an official patch soon. Until then however, this is your only recourse to make your server safe from this vulnerability. Again, big thanks go to Glenn Fleishman and Rich Mogull of TidBITs, and Chuq von Rospach for their valuable insight.

--Chuck Goolsbee
VP, Technical Operations
digital.forest, Inc.