Bind 9 Security Issue

Do, Ho cao (CIT) doh at mail.nih.gov
Wed Mar 6 17:16:34 UTC 2002 

Hello all,

Our DNS system has experienced some unexpected security issues since we
updated from 8.2.5REL to 9.2.0.  The problem is that in the named.conf file
we only allow our inside machines to do recursive queries.  It was working
fine with 8.2.5.  However with 9.2.0, it seems to deny any query from
outside our network.  Please advice.

Portion of reference in NAMED.CONF file
--------------------------------------
// generated by named-bootconf.pl
acl "nih_secondary_dns" {
                                {128.231.64.1;
                                 130.14.35.128;
                                 204.123.2.18;
                                 204.123.2.19;
                                 130.14.25.2;
                                             };
};

acl "nih_ip_addresses" {
                                {128.231.0.0/16;
                                 137.187.0.0/16;
                                 156.40.0.0/16;
                                 165.112.0.0/16;
                                 129.43.0.0/16;
                                 199.249.158.0/24;
                                 157.98.0.0/16;
                                 130.14.0.0/16;
                                 131.158.140.0/24;
                                 131.158.81.0/24;
                                 131.158.67.0/24;
                                 131.158.67.113;
                                 150.148.112/23;
                                 150.148.218/23;
                                 192.168.0.0/16;
                                 205.128.154.0/24;
                                              };
};


options {

        allow-recursion { "nih_ip_addresses"; }; 

        recursive-clients 10000;

        directory "/etc/namedb";

       allow-transfer
       { "nih_secondary_dns";
         "nih_ip_addresses";
       };


};

--------------------------------------------
Portion of the security.log
--------------------------------------------
denied recursion for query from [12.43.96.2].57202 for
135.66.142.146.in-addr.arpa IN
denied recursion for query from [199.159.244.52].3730 for po.nrcs.usda.gov
IN
denied recursion for query from [65.165.89.127].1100 for od6011-p1.mris.com
IN
denied recursion for query from [131.158.21.110].3110 for a188.g.akamai.net
IN
denied recursion for query from [131.158.21.110].3112 for a188.g.akamai.net
IN
denied recursion for query from [208.209.39.37].41780 for
1.162.136.198.in-addr.arpa IN
denied recursion for query from [32.97.140.109].5527 for
24.4.142.146.in-addr.arpa IN
denied recursion for query from [207.197.254.27].2544 for yahoo.com IN
denied recursion for query from [134.174.20.16].4990 for www.bls.gov IN
denied recursion for query from [207.197.254.27].2545 for
mail.nih.gov.gatewayone.com IN
denied recursion for query from [64.200.160.21].64084 for
24.4.142.146.in-addr.arpa IN
denied recursion for query from [207.55.158.8].53 for
32.4.142.146.in-addr.arpa IN
denied recursion for query from [131.158.175.196].4477 for
www.apple.com.akadns.net IN
denied recursion for query from [128.252.120.1].60586 for nohic.aerie.com IN
denied recursion for query from [216.185.192.2].53 for www.bls.gov IN
denied recursion for query from [64.28.67.21].47050 for
69.47.142.146.in-addr.arpa IN
denied recursion for query from [64.213.103.93].38431 for bls.gov IN
denied recursion for query from [131.158.175.196].4523 for www.xerox.com IN
denied recursion for query from [65.160.54.183].1361 for
corporate.imgcorp.com IN
denied recursion for query from [208.196.154.125].237 for stats.bls.gov IN
denied recursion for query from [64.196.154.36].1160 for
bis.180solutions.com IN
denied recursion for query from [65.160.54.183].1366 for
DDOMONKOS.corporate.imgcorp.com IN
denied recursion for query from [66.44.45.222].1224 for pop.mail.rcn.net IN
denied recursion for query from [131.158.175.194].49152 for
194.175.158.131.in-addr.arpa IN
denied recursion for query from [131.158.175.194].49152 for
194.175.158.131.in-addr.arpa IN
denied recursion for query from [131.158.175.194].49152 for
194.175.158.131.in-addr.arpa IN
denied recursion for query from [131.158.175.194].49152 for
194.175.158.131.in-addr.arpa IN
denied recursion for query from [131.158.175.194].49152 for
194.175.158.131.in-addr.arpa IN
denied recursion for query from [131.158.175.194].49152 for
194.175.158.131.in-addr.arpa IN
denied recursion for query from [131.158.175.194].49152 for
194.175.158.131.in-addr.arpa IN
denied recursion for query from [131.158.175.194].49152 for
194.175.158.131.in-addr.arpa IN
denied recursion for query from [63.161.59.66].53 for
32.4.142.146.in-addr.arpa IN
denied recursion for query from [131.158.175.194].49152 for
194.175.158.131.in-addr.arpa IN
denied recursion for query from [131.158.175.194].49152 for
194.175.158.131.in-addr.arpa IN
denied recursion for query from [129.252.51.13].1837 for www.bls.gov IN
denied recursion for query from [65.165.89.127].1105 for od1h1.mris.com IN
denied recursion for query from [67.97.212.2].53 for
32.4.142.146.in-addr.arpa IN
------------------------------------------

I really appreciate of any reply.

Sincerely,

Ho

Ho Cao Do
NIH/CIT/DNST/CSS
Federal Bldg., Room 4C10
7550 Wisconsin Ave.,
Bethesda, MD 20892
(301)435-1970   Voice
(301)480-6041   Fax
doh at mail.nih.gov

More information about the bind-users mailing list