Bind 9 Security Issue

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Thu Mar 7 08:30:54 UTC 2002 

"Do, Ho cao (CIT)" <doh at mail.nih.gov> wrote:

> Yes, I did intent to deny recursive queries outside my network.  That means
> if the outside my network asks for the hostname that my DNS server is not
> authorized, it will not look for non-authorative answer.  if the outside my
> network asks for the hostname that is in my DNS record, it will answer to
> them. 
> The problem is that with BIND 8.2.5REL it seemed to work OK, but with BIND
> 9.2.0 it seems to interpret that "my boss said that I do not answer to your
> query because you are not my colleague".  In sum, with BIND 9.2.0, the DNS
> server will not allow the outside machines to query any thing in our zone.

There was no querylog showing either.

What was in the log was events when outsiders asked for stuff NOT served
by your server, these were denied ( as it should)

If you servers answers questions about the zones it's authorative for 
does not show up, but i would be very surpriced if it did not.

Now, what is the nameservers address, and what zones does it serve ?


> (INSIDER works like a charm)
> Thank you for verifying and thanks for your time.

> Sincerely,

> Ho

> -----Original Message-----
> From: phn at icke-reklam.ipsec.nu [mailto:phn at icke-reklam.ipsec.nu]
> Sent: Wednesday, March 06, 2002 2:30 PM
> To: comp-protocols-dns-bind at isc.org
> Subject: Re: Bind 9 Security Issue



> "Do, Ho cao (CIT)" <doh at mail.nih.gov> wrote:

>> Hello all,

>> Our DNS system has experienced some unexpected security issues since we
>> updated from 8.2.5REL to 9.2.0.  The problem is that in the named.conf
> file
>> we only allow our inside machines to do recursive queries.  It was working
>> fine with 8.2.5.  However with 9.2.0, it seems to deny any query from
>> outside our network.  Please advice.

> Your log shows "denied recursion", thats what you have configured.

> Or did I misunderstand your question ?

> Peter h


>> Portion of reference in NAMED.CONF file
>> --------------------------------------
>> // generated by named-bootconf.pl
>> acl "nih_secondary_dns" {
>>                                 {128.231.64.1;
>>                                  130.14.35.128;
>>                                  204.123.2.18;
>>                                  204.123.2.19;
>>                                  130.14.25.2;
>>                                              };
>> };

>> acl "nih_ip_addresses" {
>>                                 {128.231.0.0/16;
>>                                  137.187.0.0/16;
>>                                  156.40.0.0/16;
>>                                  165.112.0.0/16;
>>                                  129.43.0.0/16;
>>                                  199.249.158.0/24;
>>                                  157.98.0.0/16;
>>                                  130.14.0.0/16;
>>                                  131.158.140.0/24;
>>                                  131.158.81.0/24;
>>                                  131.158.67.0/24;
>>                                  131.158.67.113;
>>                                  150.148.112/23;
>>                                  150.148.218/23;
>>                                  192.168.0.0/16;
>>                                  205.128.154.0/24;
>>                                               };
>> };


>> options {

>>         allow-recursion { "nih_ip_addresses"; }; 

>>         recursive-clients 10000;

>>         directory "/etc/namedb";

>>        allow-transfer
>>        { "nih_secondary_dns";
>>          "nih_ip_addresses";
>>        };


>> };

>> --------------------------------------------
>> Portion of the security.log
>> --------------------------------------------
>> denied recursion for query from [12.43.96.2].57202 for
>> 135.66.142.146.in-addr.arpa IN
>> denied recursion for query from [199.159.244.52].3730 for po.nrcs.usda.gov
>> IN
>> denied recursion for query from [65.165.89.127].1100 for
> od6011-p1.mris.com
>> IN
>> denied recursion for query from [131.158.21.110].3110 for
> a188.g.akamai.net
>> IN
>> denied recursion for query from [131.158.21.110].3112 for
> a188.g.akamai.net
>> IN
>> denied recursion for query from [208.209.39.37].41780 for
>> 1.162.136.198.in-addr.arpa IN
>> denied recursion for query from [32.97.140.109].5527 for
>> 24.4.142.146.in-addr.arpa IN
>> denied recursion for query from [207.197.254.27].2544 for yahoo.com IN
>> denied recursion for query from [134.174.20.16].4990 for www.bls.gov IN
>> denied recursion for query from [207.197.254.27].2545 for
>> mail.nih.gov.gatewayone.com IN
>> denied recursion for query from [64.200.160.21].64084 for
>> 24.4.142.146.in-addr.arpa IN
>> denied recursion for query from [207.55.158.8].53 for
>> 32.4.142.146.in-addr.arpa IN
>> denied recursion for query from [131.158.175.196].4477 for
>> www.apple.com.akadns.net IN
>> denied recursion for query from [128.252.120.1].60586 for nohic.aerie.com
> IN
>> denied recursion for query from [216.185.192.2].53 for www.bls.gov IN
>> denied recursion for query from [64.28.67.21].47050 for
>> 69.47.142.146.in-addr.arpa IN
>> denied recursion for query from [64.213.103.93].38431 for bls.gov IN
>> denied recursion for query from [131.158.175.196].4523 for www.xerox.com
> IN
>> denied recursion for query from [65.160.54.183].1361 for
>> corporate.imgcorp.com IN
>> denied recursion for query from [208.196.154.125].237 for stats.bls.gov IN
>> denied recursion for query from [64.196.154.36].1160 for
>> bis.180solutions.com IN
>> denied recursion for query from [65.160.54.183].1366 for
>> DDOMONKOS.corporate.imgcorp.com IN
>> denied recursion for query from [66.44.45.222].1224 for pop.mail.rcn.net
> IN
>> denied recursion for query from [131.158.175.194].49152 for
>> 194.175.158.131.in-addr.arpa IN
>> denied recursion for query from [131.158.175.194].49152 for
>> 194.175.158.131.in-addr.arpa IN
>> denied recursion for query from [131.158.175.194].49152 for
>> 194.175.158.131.in-addr.arpa IN
>> denied recursion for query from [131.158.175.194].49152 for
>> 194.175.158.131.in-addr.arpa IN
>> denied recursion for query from [131.158.175.194].49152 for
>> 194.175.158.131.in-addr.arpa IN
>> denied recursion for query from [131.158.175.194].49152 for
>> 194.175.158.131.in-addr.arpa IN
>> denied recursion for query from [131.158.175.194].49152 for
>> 194.175.158.131.in-addr.arpa IN
>> denied recursion for query from [131.158.175.194].49152 for
>> 194.175.158.131.in-addr.arpa IN
>> denied recursion for query from [63.161.59.66].53 for
>> 32.4.142.146.in-addr.arpa IN
>> denied recursion for query from [131.158.175.194].49152 for
>> 194.175.158.131.in-addr.arpa IN
>> denied recursion for query from [131.158.175.194].49152 for
>> 194.175.158.131.in-addr.arpa IN
>> denied recursion for query from [129.252.51.13].1837 for www.bls.gov IN
>> denied recursion for query from [65.165.89.127].1105 for od1h1.mris.com IN
>> denied recursion for query from [67.97.212.2].53 for
>> 32.4.142.146.in-addr.arpa IN
>> ------------------------------------------

>> I really appreciate of any reply.

>> Sincerely,

>> Ho

>> Ho Cao Do
>> NIH/CIT/DNST/CSS
>> Federal Bldg., Room 4C10
>> 7550 Wisconsin Ave.,
>> Bethesda, MD 20892
>> (301)435-1970   Voice
>> (301)480-6041   Fax
>> doh at mail.nih.gov



> -- 
> Peter Håkanson         
>         IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
>            Sorry about my e-mail address, but i'm trying to keep spam out.
> 	   Remove "icke-reklam" and it works.


-- 
Peter Håkanson         
        IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.
	   Remove "icke-reklam" and it works.

More information about the bind-users mailing list