Bind 9 Security Issue

Michael Kjorling michael at kjorling.com
Wed Mar 6 20:08:08 UTC 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

No, denying recursion to someone means that if that particular someone
asks your server about a record it is authorative for, the response is
given out of authorative data. If your server is not authorative for
the zone in question, it'll either (a) hand out a referral OR (b) hand
out data out of its cache. But it won't step out of its way and do
additional work to make whoever sent the query happy.

What you did was deny recursion except to some selected networks. If
someone from one of those networks makes a query and sets the rd
(recursion desired) flag in the query packet, your server will allow
recursion and step out of its way to answer the query if that is
required. If someone who is not in the networks that you allowed
recursion to asks a recursive query (rd set) the server will simply
answer with what it's got - at "worst" a referral all the way back to
the root servers ([a-m].root-servers.net), and log a "recursion
denied" message if configured to do so. This is not the same as "query
denied", which means the server refused to answer the query at all
(this is controlled using the allow-query{} directive on global and/or
zone levels).


Michael Kjörling


On Mar 6 2002 14:53 -0500, Do, Ho cao (CIT) wrote:

> Yes, I did intent to deny recursive queries outside my network.  That means
> if the outside my network asks for the hostname that my DNS server is not
> authorized, it will not look for non-authorative answer.  if the outside my
> network asks for the hostname that is in my DNS record, it will answer to
> them.
> The problem is that with BIND 8.2.5REL it seemed to work OK, but with BIND
> 9.2.0 it seems to interpret that "my boss said that I do not answer to your
> query because you are not my colleague".  In sum, with BIND 9.2.0, the DNS
> server will not allow the outside machines to query any thing in our zone.
> (INSIDER works like a charm)
> Thank you for verifying and thanks for your time.
>
> Sincerely,
>
> Ho

- -- 
Michael Kjörling  --  Programmer/Network administrator  ^..^
Internet: michael at kjorling.com -- FidoNet: 2:204/254.4   \/
PGP: 95f1 074d 336d f8f0 f297 6a5b 2aa3 7bfd 8a70 e33e

``And indeed people sometimes speak of man's "bestial" cruelty, but
this is very unfair and insulting to the beasts: a beast can never be
so cruel as a man, so ingeniously, so artistically cruel.''
(Ivan Karamazov, in Dostoyevsky's 'The Brothers Karamazov')

*** Spammers: see http://michael.kjorling.com/spam ***
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Public key is at http://michael.kjorling.com/contact/pgp.html

iD8DBQE8hncqKqN7/Ypw4z4RAtQeAKDtLUJo2ddUXaonwgruLe5JAH8G3gCfbx8i
53JbEeYMof9DU9+hz5Prsxo=
=TVI4
-----END PGP SIGNATURE-----




More information about the bind-users mailing list