9.7.0a2 - deny-answer-addresses

clemens fischer ino-news at spotteswoode.dnsalias.org
Fri Aug 21 14:43:52 UTC 2009


'uname -rms'
Linux 2.6.30.4-spott-gecd13d4 i686

'/l/sbin/named -V'
BIND 9.7.0a2 built with '--prefix=/opt/bind/9.7.0a2'
'--with-openssl=yes' '--disable-linux-caps'
'--sysconfdir=/usr/local/etc' '--localstatedir=/var' 'CFLAGS=-O'

I want to disallow rebinding-attacks in a caching resolver.  In the
top-level options I have:

  deny-answer-addresses {
      127/8; 192.168/16; 10/8; 172.16/12;
  } except-from {
      "zen.spamhaus.org";
      "dnsbl-1.uceprotect.net";
      "dnsbl-1.uceprotect.net";
      "ix.dnsbl.manitu.net";
  };

I get:

  received SIGHUP signal to reload zones
  loading configuration from '/usr/local/etc/named.conf'
  ...
  reloading configuration failed: already exists
 
Putting a suitably modified version of "deny-answer-addresses" into
a forwarder zone returns:
 
  received SIGHUP signal to reload zones
  loading configuration from '/usr/local/etc/named.conf'
  /usr/local/etc/named.conf:83: unknown option 'deny-answer-addresses'

I also tried to split "deny-answer-addresses" into several pieces, but
this yields "'deny-answer-addresses' redefined ...".

Countering dns-rebinding in a caching resolver always has to account for
at least two practical problems:  anti-spam RBLs and providers running
split horizon.  To handle the former, it should be possible to specify
a statement, better several statements where the denied IP-ranges can be
fitted with a number of exception domains.  Split horizon would require
to put "deny-answer-addresses" into forwarding zones.

IMO the current usage szenario, if I understood the configuration
correctly, is only suited to domain owners running split horizon.

But maybe this is a bug?


clemens




More information about the bind-users mailing list