Skip to content
Thoughtful, detailed coverage of everything Apple for 34 years
and the TidBITS Content Network for Apple professionals
Log In
Glenn Fleishman

Secure Your DNS Since Apple Hasn’t

[Editor’s note: This article is now obsolete. On 31-Jul-2008, Apple released a set of security updates for Mac OS X 10.4.11 Tiger and 10.5.4 Leopard that patch the flaw, and render the advice below unnecessary. See “Fix for DNS Flaw Released by Apple,” 2008-07-31, for details. I have confirmed that Apple’s Leopard installation overwrites the files I installed through this manual method. -gf]

As Rich Mogull and I wrote a few days ago, Apple has lagged behind nearly every other operating system and computer maker in releasing an update to a critical flaw in the way in which domain name system (DNS) software has been implemented. (See “Apple Fails to Patch Critical Exploited DNS Flaw,” 2008-07-24.) This flaw allows an attacker to fool a DNS server into accepting the wrong IP address for a domain name. While servers that provide DNS lookups to clients – such as customers of a large ISP – are most vulnerable, individual Macs are also at risk although they have much less likelihood of being attacked.

I tested out a simple command-line method of installing BIND 9.4.2-P1 in Mac OS X 10.5.4 Leopard; this release is an updated version of the widely used software that handles DNS for tens of millions of servers and ordinary systems worldwide. Although there’s a newer version – 9.5.0-P1 – Leopard still uses 9.4.1, and patching it to 9.4.2-P1 makes more sense than moving up an entire release version.

Proceed at your own risk! This process worked for me, but it may not for you. You likely want to have a full backup in place. This will not work with Tiger or earlier versions of Mac OS X. This update is also only intended to work on Leopard desktops and laptops – not Leopard Server installations, which are more deeply tied into Apple’s magic configurations, and would likely break if you follow the below procedure.

  1. Join Apple’s developer program, which has a basic free level anyone can use.
  2. After joining, log in to your account, click the Downloads link, and then the Developer Tools link in the list of Downloads in the right navigation bar. Download the large (1 GB) Xcode 3.1 Developer Tools disk image, mount it, and install it. This is needed for the compilation tools required to install BIND.
  3. Visit the Internet System Consortium’s BIND page, and download BIND 9.4.2-P1: Click the link for that release, and scroll down to the Downloads section. Click the bind-9.4.2-P1.tar.gz link.
  4. Launch Applications > Utilities > Terminal.
  5. Navigate to the directory in which BIND was downloaded. Likely, you need to type the following two commands. (If you use a different directory for downloads, change ~/Downloads/ in the command to the path of your download directory specified in your browser, or move the downloaded file to your home folder’s Downloads directory.)

    6. cd ~/Downloads/

    ls



  6. If the BIND file in the list that appears after the “ls” command is typed has .tar.gz at the end, type:

    7. gunzip -c bind-9.4.2-P1.tar.gz | tar xf -

  7. Now type, to enter the BIND directory:

    8. cd bind-9.4.2-P1



  8. Switch to superuser or root mode to install the software. Type the following and enter a password when prompted. You need an account with administrative access to proceed.

    9. sudo su

  9. Now type the following sequence in turn each time you get a prompt. (Each command will result in a lot of scrolling output explaining what’s going on at a level far beyond what you need to know. Make test, in particular, can take a long time to run as it runs through a set of standard activities.)

    10. ./configure --prefix=/usr

    make

    make test

  10. If either “make” produces errors and doesn’t complete, or “make test” explains after running thousands of tests that something’s wrong, don’t proceed. Just stop here and your system is still untouched.
  11. Type:

    12. make install



You’re now updated. If you type:

dig

as an example, you’ll see at the top of the resulting DNS root server information a banner that includes “DiG 9.4.2-P1” to show the latest version is in place.

When Apple releases its expected DNS update, it’s possible that this manual installation will break their ability to update the software. I’ll provide more details when that happens.

Chuq von Rospach suggests an alternative process that he feels provides a better revert position for you when the updates are released.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.