Bind 9 Security Issue
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Wed Mar 6 19:29:43 UTC 2002
"Do, Ho cao (CIT)" <doh at mail.nih.gov> wrote:
> Hello all,
> Our DNS system has experienced some unexpected security issues since we
> updated from 8.2.5REL to 9.2.0. The problem is that in the named.conf file
> we only allow our inside machines to do recursive queries. It was working
> fine with 8.2.5. However with 9.2.0, it seems to deny any query from
> outside our network. Please advice.
Your log shows "denied recursion", thats what you have configured.
Or did I misunderstand your question ?
Peter h
> Portion of reference in NAMED.CONF file
> --------------------------------------
> // generated by named-bootconf.pl
> acl "nih_secondary_dns" {
> {128.231.64.1;
> 130.14.35.128;
> 204.123.2.18;
> 204.123.2.19;
> 130.14.25.2;
> };
> };
> acl "nih_ip_addresses" {
> {128.231.0.0/16;
> 137.187.0.0/16;
> 156.40.0.0/16;
> 165.112.0.0/16;
> 129.43.0.0/16;
> 199.249.158.0/24;
> 157.98.0.0/16;
> 130.14.0.0/16;
> 131.158.140.0/24;
> 131.158.81.0/24;
> 131.158.67.0/24;
> 131.158.67.113;
> 150.148.112/23;
> 150.148.218/23;
> 192.168.0.0/16;
> 205.128.154.0/24;
> };
> };
> options {
> allow-recursion { "nih_ip_addresses"; };
> recursive-clients 10000;
> directory "/etc/namedb";
> allow-transfer
> { "nih_secondary_dns";
> "nih_ip_addresses";
> };
> };
> --------------------------------------------
> Portion of the security.log
> --------------------------------------------
> denied recursion for query from [12.43.96.2].57202 for
> 135.66.142.146.in-addr.arpa IN
> denied recursion for query from [199.159.244.52].3730 for po.nrcs.usda.gov
> IN
> denied recursion for query from [65.165.89.127].1100 for od6011-p1.mris.com
> IN
> denied recursion for query from [131.158.21.110].3110 for a188.g.akamai.net
> IN
> denied recursion for query from [131.158.21.110].3112 for a188.g.akamai.net
> IN
> denied recursion for query from [208.209.39.37].41780 for
> 1.162.136.198.in-addr.arpa IN
> denied recursion for query from [32.97.140.109].5527 for
> 24.4.142.146.in-addr.arpa IN
> denied recursion for query from [207.197.254.27].2544 for yahoo.com IN
> denied recursion for query from [134.174.20.16].4990 for www.bls.gov IN
> denied recursion for query from [207.197.254.27].2545 for
> mail.nih.gov.gatewayone.com IN
> denied recursion for query from [64.200.160.21].64084 for
> 24.4.142.146.in-addr.arpa IN
> denied recursion for query from [207.55.158.8].53 for
> 32.4.142.146.in-addr.arpa IN
> denied recursion for query from [131.158.175.196].4477 for
> www.apple.com.akadns.net IN
> denied recursion for query from [128.252.120.1].60586 for nohic.aerie.com IN
> denied recursion for query from [216.185.192.2].53 for www.bls.gov IN
> denied recursion for query from [64.28.67.21].47050 for
> 69.47.142.146.in-addr.arpa IN
> denied recursion for query from [64.213.103.93].38431 for bls.gov IN
> denied recursion for query from [131.158.175.196].4523 for www.xerox.com IN
> denied recursion for query from [65.160.54.183].1361 for
> corporate.imgcorp.com IN
> denied recursion for query from [208.196.154.125].237 for stats.bls.gov IN
> denied recursion for query from [64.196.154.36].1160 for
> bis.180solutions.com IN
> denied recursion for query from [65.160.54.183].1366 for
> DDOMONKOS.corporate.imgcorp.com IN
> denied recursion for query from [66.44.45.222].1224 for pop.mail.rcn.net IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [63.161.59.66].53 for
> 32.4.142.146.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [129.252.51.13].1837 for www.bls.gov IN
> denied recursion for query from [65.165.89.127].1105 for od1h1.mris.com IN
> denied recursion for query from [67.97.212.2].53 for
> 32.4.142.146.in-addr.arpa IN
> ------------------------------------------
> I really appreciate of any reply.
> Sincerely,
> Ho
> Ho Cao Do
> NIH/CIT/DNST/CSS
> Federal Bldg., Room 4C10
> 7550 Wisconsin Ave.,
> Bethesda, MD 20892
> (301)435-1970 Voice
> (301)480-6041 Fax
> doh at mail.nih.gov
--
Peter Håkanson
IPSec Sverige (At the Riverside of Gothenburg, home of Volvo)
Sorry about my e-mail address, but i'm trying to keep spam out.
Remove "icke-reklam" and it works.
More information about the bind-users
mailing list