9.7.0a2 - deny-answer-addresses
clemens fischer
ino-news at spotteswoode.dnsalias.org
Fri Aug 21 14:43:52 UTC 2009
'uname -rms'
Linux 2.6.30.4-spott-gecd13d4 i686
'/l/sbin/named -V'
BIND 9.7.0a2 built with '--prefix=/opt/bind/9.7.0a2'
'--with-openssl=yes' '--disable-linux-caps'
'--sysconfdir=/usr/local/etc' '--localstatedir=/var' 'CFLAGS=-O'
I want to disallow rebinding-attacks in a caching resolver. In the
top-level options I have:
deny-answer-addresses {
127/8; 192.168/16; 10/8; 172.16/12;
} except-from {
"zen.spamhaus.org";
"dnsbl-1.uceprotect.net";
"dnsbl-1.uceprotect.net";
"ix.dnsbl.manitu.net";
};
I get:
received SIGHUP signal to reload zones
loading configuration from '/usr/local/etc/named.conf'
...
reloading configuration failed: already exists
Putting a suitably modified version of "deny-answer-addresses" into
a forwarder zone returns:
received SIGHUP signal to reload zones
loading configuration from '/usr/local/etc/named.conf'
/usr/local/etc/named.conf:83: unknown option 'deny-answer-addresses'
I also tried to split "deny-answer-addresses" into several pieces, but
this yields "'deny-answer-addresses' redefined ...".
Countering dns-rebinding in a caching resolver always has to account for
at least two practical problems: anti-spam RBLs and providers running
split horizon. To handle the former, it should be possible to specify
a statement, better several statements where the denied IP-ranges can be
fitted with a number of exception domains. Split horizon would require
to put "deny-answer-addresses" into forwarding zones.
IMO the current usage szenario, if I understood the configuration
correctly, is only suited to domain owners running split horizon.
But maybe this is a bug?
clemens
More information about the bind-users
mailing list