DNS Cache Snooping?

Baird, Josh jbaird at follett.com
Tue Jun 24 13:23:05 UTC 2008

allow-query-cache was not introduced until 9.4.1-P1.  RHEL5 is currently
using bind-chroot-9.3.3-10.el5 (9.3.3).


-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Jeff Lightner
Sent: Tuesday, June 24, 2008 7:14 AM
To: Paul Vixie; comp-protocols-dns-bind at isc.org
Subject: RE: Re: DNS Cache Snooping?

An ACL called internaldns had been created to allow only our Windows DNS
servers to do recursive queries.  The following line was then added to
options section of named.conf:
        allow-recursion { internaldns; };

That worked like a champ - recursive queries from inside the network
work and those from outside are refused while still allowing outside
queries of the domains for which we are authoritative.

Based on what you wrote the following was added to the options:
        allow-query-cache { internaldns; };

However, on starting named says this is an unknown option as follows:

[root at dswadns1 etc]# service named start
Starting named:
Error in named configuration:
/etc/named.conf:13: unknown option 'allow-query-cache'

Even stranger is this note that seems to suggest that because I'm
running 9.3.4 P1 (i.e. a pre 9.4 version of BIND) setting the
allow-recursion has the effect of setting allow-query-cache:

As noted in my original post though external queries are apparently
reading cache.

I'm running RHEL5 and am using the canned bind-chroot they provide.  Is
it possible they compiled in such a way that they excluded
allow-query-cache as an option altogether?

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Paul Vixie
Sent: Monday, June 23, 2008 8:00 PM
To: comp-protocols-dns-bind at isc.org
Subject: Re: DNS Cache Snooping?

"Jeff Lightner" <jlightner at water.com> writes:

> I have prevented recursive lookups from outside.  However on doing
> I have confirmed that recent recursive lookups from inside do in fact
> cause the servers to cache the records and subsequent digs from
> while confirming recursive lookup was denied do get the same record
> cache as was returned on the original lookup from inside.   

you'll need to turn off allow-query-cache as well as allow-recursion on
outside network, or just turn off allow-query in the externally visible
view, if you're using views to separate recursive vs. authoritative
Paul Vixie
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
confidential information and is for the sole use of the intended
recipient(s). If you are not the intended recipient, any disclosure,
copying, distribution, or use of the contents of this information is
prohibited and may be unlawful. If you have received this electronic
transmission in error, please reply immediately to the sender that you
have received the message in error, and delete it. Thank you.

More information about the bind-users mailing list