DNS Cache Snooping?

Jeff Lightner jlightner at water.com
Tue Jun 24 13:34:57 UTC 2008

Thanks.  I'd pretty much come to that conclusion based on my searches.
I guess that means the link even though it is on ISC's site is

Current RHEL5 bind-chroot (and other bind packages) version is
9.3.4-6.P1.el5.   It was updated within the last month.  It includes a
fix for CVE-2008-0122.   I had installed a new server a week or so ago
and got this in the yum update.   Yesterday I updated my other server to
this version specifically because there was a scan hit on CVE-2008-0122.
That scan was based on BIND version so would still peg this but the
details at RHN confirm the fix was added by RedHat to the 9.3.4-6 P1.

Does setting to max-cache-ttl instead to a low value help remediate the
DNS cache snooping? 

-----Original Message-----
From: Baird, Josh [mailto:jbaird at follett.com] 
Sent: Tuesday, June 24, 2008 9:23 AM
To: Jeff Lightner; Paul Vixie; comp-protocols-dns-bind at isc.org
Subject: RE: Re: DNS Cache Snooping?

allow-query-cache was not introduced until 9.4.1-P1.  RHEL5 is currently
using bind-chroot-9.3.3-10.el5 (9.3.3).


-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Jeff Lightner
Sent: Tuesday, June 24, 2008 7:14 AM
To: Paul Vixie; comp-protocols-dns-bind at isc.org
Subject: RE: Re: DNS Cache Snooping?

An ACL called internaldns had been created to allow only our Windows DNS
servers to do recursive queries.  The following line was then added to
options section of named.conf:
        allow-recursion { internaldns; };

That worked like a champ - recursive queries from inside the network
work and those from outside are refused while still allowing outside
queries of the domains for which we are authoritative.

Based on what you wrote the following was added to the options:
        allow-query-cache { internaldns; };

However, on starting named says this is an unknown option as follows:

[root at dswadns1 etc]# service named start
Starting named:
Error in named configuration:
/etc/named.conf:13: unknown option 'allow-query-cache'

Even stranger is this note that seems to suggest that because I'm
running 9.3.4 P1 (i.e. a pre 9.4 version of BIND) setting the
allow-recursion has the effect of setting allow-query-cache:

As noted in my original post though external queries are apparently
reading cache.

I'm running RHEL5 and am using the canned bind-chroot they provide.  Is
it possible they compiled in such a way that they excluded
allow-query-cache as an option altogether?

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Paul Vixie
Sent: Monday, June 23, 2008 8:00 PM
To: comp-protocols-dns-bind at isc.org
Subject: Re: DNS Cache Snooping?

"Jeff Lightner" <jlightner at water.com> writes:

> I have prevented recursive lookups from outside.  However on doing
> I have confirmed that recent recursive lookups from inside do in fact
> cause the servers to cache the records and subsequent digs from
> while confirming recursive lookup was denied do get the same record
> cache as was returned on the original lookup from inside.   

you'll need to turn off allow-query-cache as well as allow-recursion on
outside network, or just turn off allow-query in the externally visible
view, if you're using views to separate recursive vs. authoritative
Paul Vixie
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
confidential information and is for the sole use of the intended
recipient(s). If you are not the intended recipient, any disclosure,
copying, distribution, or use of the contents of this information is
prohibited and may be unlawful. If you have received this electronic
transmission in error, please reply immediately to the sender that you
have received the message in error, and delete it. Thank you.

More information about the bind-users mailing list