PATCH to help 8.2.3 not pound on the root nameservers
LaMont Jones
lamont at hp.com
Tue Mar 20 15:04:00 UTC 2001
If you have a typical 8.2.3 configuration, with 'check-names response fail;',
then all it takes is a couple of lusers to pound on the root nameservers.
If you're a good sized corporation, it's pretty easy to have enough
mis-configured clients to become very _noticable_.
The problematic flow looks like this:
1. Client asks for the A RR for 'web_proxy'.
2. Since it's not in the cache, BIND forwards the request (to the roots,
since we're talking about a TLD here.)
3. Root nameserver responds with NXDOMAIN
4. BIND discards the response, since the name contains invalid characters.
5. Client asks again, see steps 2-4.
In order to prevent the round trip to the roots with the uncachable reply,
we need to reject the query, not the response. The attached patch therefore
makes it unconditional, based on the (new) 'check-names query' setting.
thoughts?
lamont
-- Attached file included as plaintext by Listar --
--- ns_config.c.orig Sat Dec 23 01:14:37 2000
+++ ns_config.c Mon Mar 19 13:36:39 2001
@@ -1126,6 +1126,7 @@
op->check_names[primary_trans] = fail;
op->check_names[secondary_trans] = warn;
op->check_names[response_trans] = ignore;
+ op->check_names[query_trans] = warn;
op->listen_list = NULL;
op->fwdtab = NULL;
/* XXX init forwarding */
--- ns_defs.h.orig Thu Nov 30 22:35:48 2000
+++ ns_defs.h Mon Mar 19 13:35:04 2001
@@ -681,7 +681,7 @@
#endif
};
-enum transport { primary_trans, secondary_trans, response_trans, update_trans,
+enum transport { primary_trans, secondary_trans, response_trans, update_trans, query_trans,
num_trans };
/* types used by the parser or config routines */
--- ns_init.c.orig Sat Dec 23 01:14:38 2000
+++ ns_init.c Mon Mar 19 13:36:53 2001
@@ -407,6 +407,7 @@
case secondary_trans:
context = owner_ctx;
break;
+ case query_trans:
case response_trans:
context = hostname_ctx;
break;
--- ns_lexer.c.orig Tue Nov 28 23:55:58 2000
+++ ns_lexer.c Mon Mar 19 13:37:43 2001
@@ -307,6 +307,7 @@
{"print-severity", T_PRINT_SEVERITY},
{"print-time", T_PRINT_TIME},
{"pubkey", T_PUBKEY},
+ {"query", T_QUERY},
{"query-source", T_QUERY_SOURCE},
{"rfc2308-type1", T_RFC2308_TYPE1},
{"rrset-order", T_RRSET_ORDER},
--- ns_parser.y.orig Sat Dec 23 01:14:41 2000
+++ ns_parser.y Mon Mar 19 13:37:16 2001
@@ -195,7 +195,7 @@
%type <s_int> zone_type
%token T_IN T_CHAOS T_HESIOD
%token T_TYPE
-%token T_MASTER T_SLAVE T_STUB T_RESPONSE
+%token T_MASTER T_SLAVE T_STUB T_RESPONSE T_QUERY
%token T_HINT
%token T_MASTERS T_TRANSFER_SOURCE
%token T_PUBKEY
@@ -788,6 +788,10 @@
| T_RESPONSE
{
$$ = response_trans;
+ }
+ | T_QUERY
+ {
+ $$ = query_trans;
}
;
--- ns_req.c.orig Mon Jan 8 16:46:41 2001
+++ ns_req.c Mon Mar 19 16:47:23 2001
@@ -677,6 +677,14 @@
afterq = *cpp;
qtypeIncr(type);
+ if (!ns_nameok(qp, dnbuf, class, NULL, query_trans,
+ ns_ownercontext(type, query_trans),
+ dnbuf, from.sin_addr)) {
+ ns_debug(ns_log_default, 1, "bad name in query");
+ hp->rcode = ns_r_formerr;
+ return (Refuse);
+ }
+
/*
* Process query.
*/
More information about the bind-workers
mailing list