patch for dropping unapproved queries
Joe Pruett
joey at q7.com
Fri Jun 30 23:24:05 UTC 2000
i've talked about this for a long time so i finally got energetic enough
today to do it.
in my scenario (an isp), i have the global allow-query set for only my
local nets and then i set allow-query to all for any domain that i host.
this is supposed to keep random bozos from using me as their resolver.
but resolvers don't track servers that give them a REFUSED answer and so
they keep right on asking. what this patch does is to just drop the
request when it isn't allowed via the allow-query options. there is a new
global level option called drop-refused-query that is a yes/no flag. it
doesn't affect all REFUSED answers, just the ones caused by the
allow-query checks. that seemed like the simplest fix.
so far it seems to be doing what i want. maybe something like this can
make it into bind9 (if it isn't there already)?
let me know if you use this, or think it is a bad idea. it applies
against 8.2.2-P5.
diff -u -r bind-8.2.2-P5/src/bin/named/ns_config.c bind-8.2.2-P5.joey/src/bin/named/ns_config.c
--- bind-8.2.2-P5/src/bin/named/ns_config.c Mon Nov 8 15:09:42 1999
+++ bind-8.2.2-P5.joey/src/bin/named/ns_config.c Fri Jun 30 15:28:42 2000
@@ -1199,6 +1199,7 @@
case OPTION_USE_IXFR:
case OPTION_MAINTAIN_IXFR_BASE:
case OPTION_HOSTSTATS:
+ case OPTION_DROP_REFUSED_QUERY:
case OPTION_DEALLOC_ON_EXIT:
case OPTION_USE_ID_POOL:
case OPTION_NORFC2308_TYPE1:
diff -u -r bind-8.2.2-P5/src/bin/named/ns_defs.h bind-8.2.2-P5.joey/src/bin/named/ns_defs.h
--- bind-8.2.2-P5/src/bin/named/ns_defs.h Thu Oct 7 01:24:08 1999
+++ bind-8.2.2-P5.joey/src/bin/named/ns_defs.h Fri Jun 30 14:31:22 2000
@@ -188,6 +188,7 @@
* to cached negative respones */
#define OPTION_USE_ID_POOL 0x0800 /* Use the memory hogging query ID */
#define OPTION_TREAT_CR_AS_SPACE 0x1000 /* Treat CR in zone files as space */
+#define OPTION_DROP_REFUSED_QUERY 0x2000 /* don't return REFUSED answers, just drop them */
#define DEFAULT_OPTION_FLAGS (OPTION_NODIALUP|OPTION_NONAUTH_NXDOMAIN|\
OPTION_USE_ID_POOL|OPTION_NORFC2308_TYPE1)
diff -u -r bind-8.2.2-P5/src/bin/named/ns_lexer.c bind-8.2.2-P5.joey/src/bin/named/ns_lexer.c
--- bind-8.2.2-P5/src/bin/named/ns_lexer.c Wed Oct 13 09:39:08 1999
+++ bind-8.2.2-P5.joey/src/bin/named/ns_lexer.c Fri Jun 30 14:32:37 2000
@@ -245,6 +245,7 @@
{"default", T_DEFAULT},
{"dialup", T_DIALUP},
{"directory", T_DIRECTORY},
+ {"drop-refused-query", T_DROP_REFUSED_QUERY},
{"dump-file", T_DUMP_FILE},
{"dynamic", T_DYNAMIC},
{"fail", T_FAIL},
diff -u -r bind-8.2.2-P5/src/bin/named/ns_parser.y bind-8.2.2-P5.joey/src/bin/named/ns_parser.y
--- bind-8.2.2-P5/src/bin/named/ns_parser.y Thu Nov 11 21:29:18 1999
+++ bind-8.2.2-P5.joey/src/bin/named/ns_parser.y Fri Jun 30 14:33:33 2000
@@ -143,6 +143,7 @@
%token T_DEFAULT T_UNLIMITED
%token T_FILES T_VERSION
%token T_HOSTSTATS T_DEALLOC_ON_EXIT
+%token T_DROP_REFUSED_QUERY
%token T_TRANSFERS_IN T_TRANSFERS_OUT T_TRANSFERS_PER_NS
%token T_TRANSFER_FORMAT T_MAX_TRANSFER_TIME_IN
%token T_SERIAL_QUERIES T_ONE_ANSWER T_MANY_ANSWERS
@@ -358,6 +359,11 @@
{
set_global_boolean_option(current_options,
OPTION_HOSTSTATS, $2);
+ }
+ | T_DROP_REFUSED_QUERY yea_or_nay
+ {
+ set_global_boolean_option(current_options,
+ OPTION_DROP_REFUSED_QUERY, $2);
}
| T_DEALLOC_ON_EXIT yea_or_nay
{
diff -u -r bind-8.2.2-P5/src/bin/named/ns_req.c bind-8.2.2-P5.joey/src/bin/named/ns_req.c
--- bind-8.2.2-P5/src/bin/named/ns_req.c Fri Oct 15 12:49:04 1999
+++ bind-8.2.2-P5.joey/src/bin/named/ns_req.c Fri Jun 30 15:50:01 2000
@@ -891,7 +891,7 @@
ns_notice(ns_log_security,
"unapproved query from %s for \"%s\"",
sin_ntoa(from), *dname ? dname : ".");
- return (Refuse);
+ return (NS_OPTION_P(OPTION_DROP_REFUSED_QUERY) ? Return : Refuse);
}
} else {
ip_match_list transfer_acl;
More information about the bind-users
mailing list