patch for dropping unapproved queries

Joe Pruett joey at q7.com
Fri Jun 30 23:24:05 UTC 2000


i've talked about this for a long time so i finally got energetic enough
today to do it.

in my scenario (an isp), i have the global allow-query set for only my
local nets and then i set allow-query to all for any domain that i host.  
this is supposed to keep random bozos from using me as their resolver.
but resolvers don't track servers that give them a REFUSED answer and so
they keep right on asking.  what this patch does is to just drop the
request when it isn't allowed via the allow-query options.  there is a new
global level option called drop-refused-query that is a yes/no flag.  it
doesn't affect all REFUSED answers, just the ones caused by the
allow-query checks.  that seemed like the simplest fix.

so far it seems to be doing what i want.  maybe something like this can
make it into bind9 (if it isn't there already)?

let me know if you use this, or think it is a bad idea.  it applies
against 8.2.2-P5.

diff -u -r bind-8.2.2-P5/src/bin/named/ns_config.c bind-8.2.2-P5.joey/src/bin/named/ns_config.c
--- bind-8.2.2-P5/src/bin/named/ns_config.c	Mon Nov  8 15:09:42 1999
+++ bind-8.2.2-P5.joey/src/bin/named/ns_config.c	Fri Jun 30 15:28:42 2000
@@ -1199,6 +1199,7 @@
 	case OPTION_USE_IXFR:
 	case OPTION_MAINTAIN_IXFR_BASE:
 	case OPTION_HOSTSTATS:
+	case OPTION_DROP_REFUSED_QUERY:
 	case OPTION_DEALLOC_ON_EXIT:
 	case OPTION_USE_ID_POOL:
 	case OPTION_NORFC2308_TYPE1:
diff -u -r bind-8.2.2-P5/src/bin/named/ns_defs.h bind-8.2.2-P5.joey/src/bin/named/ns_defs.h
--- bind-8.2.2-P5/src/bin/named/ns_defs.h	Thu Oct  7 01:24:08 1999
+++ bind-8.2.2-P5.joey/src/bin/named/ns_defs.h	Fri Jun 30 14:31:22 2000
@@ -188,6 +188,7 @@
 					 * to cached negative respones */
 #define	OPTION_USE_ID_POOL	0x0800	/* Use the memory hogging query ID */
 #define	OPTION_TREAT_CR_AS_SPACE 0x1000 /* Treat CR in zone files as space */
+#define OPTION_DROP_REFUSED_QUERY 0x2000	/* don't return REFUSED answers, just drop them */
 
 #define	DEFAULT_OPTION_FLAGS	(OPTION_NODIALUP|OPTION_NONAUTH_NXDOMAIN|\
 				 OPTION_USE_ID_POOL|OPTION_NORFC2308_TYPE1)
diff -u -r bind-8.2.2-P5/src/bin/named/ns_lexer.c bind-8.2.2-P5.joey/src/bin/named/ns_lexer.c
--- bind-8.2.2-P5/src/bin/named/ns_lexer.c	Wed Oct 13 09:39:08 1999
+++ bind-8.2.2-P5.joey/src/bin/named/ns_lexer.c	Fri Jun 30 14:32:37 2000
@@ -245,6 +245,7 @@
 	{"default", T_DEFAULT},
 	{"dialup", T_DIALUP},
 	{"directory", T_DIRECTORY}, 
+	{"drop-refused-query", T_DROP_REFUSED_QUERY},
 	{"dump-file", T_DUMP_FILE},
 	{"dynamic", T_DYNAMIC},
 	{"fail", T_FAIL},
diff -u -r bind-8.2.2-P5/src/bin/named/ns_parser.y bind-8.2.2-P5.joey/src/bin/named/ns_parser.y
--- bind-8.2.2-P5/src/bin/named/ns_parser.y	Thu Nov 11 21:29:18 1999
+++ bind-8.2.2-P5.joey/src/bin/named/ns_parser.y	Fri Jun 30 14:33:33 2000
@@ -143,6 +143,7 @@
 %token			T_DEFAULT T_UNLIMITED
 %token			T_FILES T_VERSION
 %token			T_HOSTSTATS T_DEALLOC_ON_EXIT
+%token			T_DROP_REFUSED_QUERY
 %token			T_TRANSFERS_IN T_TRANSFERS_OUT T_TRANSFERS_PER_NS
 %token			T_TRANSFER_FORMAT T_MAX_TRANSFER_TIME_IN
 %token			T_SERIAL_QUERIES T_ONE_ANSWER T_MANY_ANSWERS
@@ -358,6 +359,11 @@
 	{
 		set_global_boolean_option(current_options,
 			OPTION_HOSTSTATS, $2);
+	}
+	| T_DROP_REFUSED_QUERY yea_or_nay
+	{
+		set_global_boolean_option(current_options,
+			OPTION_DROP_REFUSED_QUERY, $2);
 	}
 	| T_DEALLOC_ON_EXIT yea_or_nay
 	{
diff -u -r bind-8.2.2-P5/src/bin/named/ns_req.c bind-8.2.2-P5.joey/src/bin/named/ns_req.c
--- bind-8.2.2-P5/src/bin/named/ns_req.c	Fri Oct 15 12:49:04 1999
+++ bind-8.2.2-P5.joey/src/bin/named/ns_req.c	Fri Jun 30 15:50:01 2000
@@ -891,7 +891,7 @@
 			ns_notice(ns_log_security,
 				  "unapproved query from %s for \"%s\"",
 				  sin_ntoa(from), *dname ? dname : ".");
-			return (Refuse);
+			return (NS_OPTION_P(OPTION_DROP_REFUSED_QUERY) ? Return : Refuse);
 		}
 	} else {
 		ip_match_list transfer_acl;




More information about the bind-users mailing list