Bind 9 Security Issue
Do, Ho cao (CIT)
doh at mail.nih.gov
Wed Mar 6 19:53:53 UTC 2002
Yes, I did intent to deny recursive queries outside my network. That means
if the outside my network asks for the hostname that my DNS server is not
authorized, it will not look for non-authorative answer. if the outside my
network asks for the hostname that is in my DNS record, it will answer to
them.
The problem is that with BIND 8.2.5REL it seemed to work OK, but with BIND
9.2.0 it seems to interpret that "my boss said that I do not answer to your
query because you are not my colleague". In sum, with BIND 9.2.0, the DNS
server will not allow the outside machines to query any thing in our zone.
(INSIDER works like a charm)
Thank you for verifying and thanks for your time.
Sincerely,
Ho
-----Original Message-----
From: phn at icke-reklam.ipsec.nu [mailto:phn at icke-reklam.ipsec.nu]
Sent: Wednesday, March 06, 2002 2:30 PM
To: comp-protocols-dns-bind at isc.org
Subject: Re: Bind 9 Security Issue
"Do, Ho cao (CIT)" <doh at mail.nih.gov> wrote:
> Hello all,
> Our DNS system has experienced some unexpected security issues since we
> updated from 8.2.5REL to 9.2.0. The problem is that in the named.conf
file
> we only allow our inside machines to do recursive queries. It was working
> fine with 8.2.5. However with 9.2.0, it seems to deny any query from
> outside our network. Please advice.
Your log shows "denied recursion", thats what you have configured.
Or did I misunderstand your question ?
Peter h
> Portion of reference in NAMED.CONF file
> --------------------------------------
> // generated by named-bootconf.pl
> acl "nih_secondary_dns" {
> {128.231.64.1;
> 130.14.35.128;
> 204.123.2.18;
> 204.123.2.19;
> 130.14.25.2;
> };
> };
> acl "nih_ip_addresses" {
> {128.231.0.0/16;
> 137.187.0.0/16;
> 156.40.0.0/16;
> 165.112.0.0/16;
> 129.43.0.0/16;
> 199.249.158.0/24;
> 157.98.0.0/16;
> 130.14.0.0/16;
> 131.158.140.0/24;
> 131.158.81.0/24;
> 131.158.67.0/24;
> 131.158.67.113;
> 150.148.112/23;
> 150.148.218/23;
> 192.168.0.0/16;
> 205.128.154.0/24;
> };
> };
> options {
> allow-recursion { "nih_ip_addresses"; };
> recursive-clients 10000;
> directory "/etc/namedb";
> allow-transfer
> { "nih_secondary_dns";
> "nih_ip_addresses";
> };
> };
> --------------------------------------------
> Portion of the security.log
> --------------------------------------------
> denied recursion for query from [12.43.96.2].57202 for
> 135.66.142.146.in-addr.arpa IN
> denied recursion for query from [199.159.244.52].3730 for po.nrcs.usda.gov
> IN
> denied recursion for query from [65.165.89.127].1100 for
od6011-p1.mris.com
> IN
> denied recursion for query from [131.158.21.110].3110 for
a188.g.akamai.net
> IN
> denied recursion for query from [131.158.21.110].3112 for
a188.g.akamai.net
> IN
> denied recursion for query from [208.209.39.37].41780 for
> 1.162.136.198.in-addr.arpa IN
> denied recursion for query from [32.97.140.109].5527 for
> 24.4.142.146.in-addr.arpa IN
> denied recursion for query from [207.197.254.27].2544 for yahoo.com IN
> denied recursion for query from [134.174.20.16].4990 for www.bls.gov IN
> denied recursion for query from [207.197.254.27].2545 for
> mail.nih.gov.gatewayone.com IN
> denied recursion for query from [64.200.160.21].64084 for
> 24.4.142.146.in-addr.arpa IN
> denied recursion for query from [207.55.158.8].53 for
> 32.4.142.146.in-addr.arpa IN
> denied recursion for query from [131.158.175.196].4477 for
> www.apple.com.akadns.net IN
> denied recursion for query from [128.252.120.1].60586 for nohic.aerie.com
IN
> denied recursion for query from [216.185.192.2].53 for www.bls.gov IN
> denied recursion for query from [64.28.67.21].47050 for
> 69.47.142.146.in-addr.arpa IN
> denied recursion for query from [64.213.103.93].38431 for bls.gov IN
> denied recursion for query from [131.158.175.196].4523 for www.xerox.com
IN
> denied recursion for query from [65.160.54.183].1361 for
> corporate.imgcorp.com IN
> denied recursion for query from [208.196.154.125].237 for stats.bls.gov IN
> denied recursion for query from [64.196.154.36].1160 for
> bis.180solutions.com IN
> denied recursion for query from [65.160.54.183].1366 for
> DDOMONKOS.corporate.imgcorp.com IN
> denied recursion for query from [66.44.45.222].1224 for pop.mail.rcn.net
IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [63.161.59.66].53 for
> 32.4.142.146.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [129.252.51.13].1837 for www.bls.gov IN
> denied recursion for query from [65.165.89.127].1105 for od1h1.mris.com IN
> denied recursion for query from [67.97.212.2].53 for
> 32.4.142.146.in-addr.arpa IN
> ------------------------------------------
> I really appreciate of any reply.
> Sincerely,
> Ho
> Ho Cao Do
> NIH/CIT/DNST/CSS
> Federal Bldg., Room 4C10
> 7550 Wisconsin Ave.,
> Bethesda, MD 20892
> (301)435-1970 Voice
> (301)480-6041 Fax
> doh at mail.nih.gov
--
Peter Håkanson
IPSec Sverige (At the Riverside of Gothenburg, home of Volvo)
Sorry about my e-mail address, but i'm trying to keep spam out.
Remove "icke-reklam" and it works.
More information about the bind-users
mailing list