bind 8.2.2-P5 and Query Class = 255
Kevin Darcy
kcd at daimlerchrysler.com
Thu Jan 20 01:46:29 UTC 2000
Serge Andrey wrote:
> Hi,
>
> I am running BIND 8.2.2-P5 with the configuration found in the following
> document from AUSCERT to protect against Dos attacks using DNS.
>
> ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos
>
> With this configuration, sometimes BIND generate log messages :
>
> unapproved query from [a.b.c.d].4900 for "1.1.21.134.in-addr.arpa"
>
> This message is generated only when 'Query Class = 255'.
> Very few queries arrive with this 'Query Class' but they are refused.
>
> Any idea ?
A named bug, in my opinion. When a query comes in with class 255 ("any",
wildcard), the allow-query ACL it gets matched against is the
default/global allow-query ACL, rather than the allow-query ACL on the zone
from which it is answered, albeit non-authoritatively. Since you probably
have your default/global allow-query set to only allow queries from trusted
addresses, the class "any" queries are being unintentionally refused. (And
one cannot kludge around this by defining a dummy class "any" zone either.)
For a class "any" query, I think named should find all zones in all classes
which match the query, and apply the most restrictive ACL. The vast
majority of the time, it'll match only one zone, of course.
- Kevin
P.S. Oddly, RFC 1700 (Assigned Numbers) doesn't list DNS query class 255 as
a wildcard, although from the code and empirically it plainly is.
More information about the bind-users
mailing list