DNS Cache Snooping?

Jeff Lightner jlightner at water.com
Tue Jun 24 12:14:13 UTC 2008 

An ACL called internaldns had been created to allow only our Windows DNS
servers to do recursive queries.  The following line was then added to
options section of named.conf:
        allow-recursion { internaldns; };

That worked like a champ - recursive queries from inside the network
work and those from outside are refused while still allowing outside
queries of the domains for which we are authoritative.

Based on what you wrote the following was added to the options:
        allow-query-cache { internaldns; };

However, on starting named says this is an unknown option as follows:

[root at dswadns1 etc]# service named start
Starting named:
Error in named configuration:
/etc/named.conf:13: unknown option 'allow-query-cache'
                                                           [FAILED]

Even stranger is this note that seems to suggest that because I'm
running 9.3.4 P1 (i.e. a pre 9.4 version of BIND) setting the
allow-recursion has the effect of setting allow-query-cache:
http://www.isc.org/index.pl?/sw/bind/docs/support_bulletin_200707.php

As noted in my original post though external queries are apparently
reading cache.

I'm running RHEL5 and am using the canned bind-chroot they provide.  Is
it possible they compiled in such a way that they excluded
allow-query-cache as an option altogether?

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Paul Vixie
Sent: Monday, June 23, 2008 8:00 PM
To: comp-protocols-dns-bind at isc.org
Subject: Re: DNS Cache Snooping?

"Jeff Lightner" <jlightner at water.com> writes:

> I have prevented recursive lookups from outside.  However on doing
test
> I have confirmed that recent recursive lookups from inside do in fact
> cause the servers to cache the records and subsequent digs from
outside
> while confirming recursive lookup was denied do get the same record
from
> cache as was returned on the original lookup from inside.   

you'll need to turn off allow-query-cache as well as allow-recursion on
the
outside network, or just turn off allow-query in the externally visible
view, if you're using views to separate recursive vs. authoritative
service.
-- 
Paul Vixie
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list