allow-query does not seem to be working

Mon Aug 8 17:43:24 UTC 2016

As already noted, allow-query will cause you to send back a REFUSED response. That’s sort of the whole point of the REFUSED RCODE.

If you want to not send back any response *whatsoever*, then take a look at the “blackhole” statement, but, honestly, this kind of “drop” function may, depending on network topology, be more efficiently performed in your firewall or IDS/IPS.

Be aware that a client that doesn’t get a response may retry the query, so simply “dropping” queries may ultimately prove counter-productive.

                                                                                                                - Kevin

[FCA_Pantone_email]
----------------------------------------------------------------------
Kevin Darcy
NAFTA Information Security Projects

FCA US LLC
1075 W Entrance Dr,
Auburn Hills, MI 48326
USA

Telephone: +1 (248) 838-6601
Mobile: +1 (810) 397-0103
Email: kevin.darcy at fcagroup.com

From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Frank Even
Sent: Saturday, August 06, 2016 4:42 PM
To: bind-users
Subject: allow-query does not seem to be working

I have a group of servers serving out multiple addresses via anycast.  I've been made aware that an IP outside of our network is hitting the boxes with queries, and we're returning data to the client.

With allow-query and allow-recursion locked to our subnets, this outside host is still getting responses, and I'm trying to figure out why.

named.conf snippet:

allow-query { mynets; };
allow-recursion { mynets; };

Yet in response to a host not from one of the subnets allowed, we're getting requests and returning some kind of response:

# tcpdump -i any -nvv src $myhost and dst 156.154.100.3
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
13:37:30.578020 IP (tos 0x0, ttl 64, id 5059, offset 0, flags [none], proto UDP (17), length 81)
    $myhost.33941 > 156.154.100.3.domain: [bad udp cksum f39c!] 54976 [1au] A? www.sparknewspaper.co.uk<http://www.sparknewspaper.co.uk>. ar: . OPT UDPsize=4096 OK (53)
13:37:30.578025 IP (tos 0x0, ttl 64, id 5059, offset 0, flags [none], proto UDP (17), length 81)
    $myhost.33941 > 156.154.100.3.domain: [bad udp cksum f39c!] 54976 [1au] A? www.sparknewspaper.co.uk<http://www.sparknewspaper.co.uk>. ar: . OPT UDPsize=4096 OK (53)
13:37:30.644502 IP (tos 0x0, ttl 64, id 5060, offset 0, flags [none], proto UDP (17), length 79)
    $myhost.61737 > 156.154.100.3.domain: [bad udp cksum fef9!] 7832 [1au] A? silverstonepaint.co.uk<http://silverstonepaint.co.uk>. ar: . OPT UDPsize=4096 OK (51)
13:37:30.644505 IP (tos 0x0, ttl 64, id 5060, offset 0, flags [none], proto UDP (17), length 79)
    $myhost.61737 > 156.154.100.3.domain: [bad udp cksum fef9!] 7832 [1au] A? silverstonepaint.co.uk<http://silverstonepaint.co.uk>. ar: . OPT UDPsize=4096 OK (51)
13:37:30.722628 IP (tos 0x0, ttl 64, id 5061, offset 0, flags [none], proto UDP (17), length 68)

If an IP is not allowed as part of an "allow-query" statement, should the name server still be returning any responses?

BIND version - BIND 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160808/ea10b223/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3764 bytes
Desc: image001.jpg
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160808/ea10b223/attachment-0001.jpg>