Advisory Notice for Bind Default Configuration and Reflector Attacks

Gregory Neil Shapiro gshapiro at gshapiro.net
Fri Mar 24 06:26:25 UTC 2006 

> or you'll have to set up a multilevel config file as follows:
> 
> 	# global settings
> 	options {
> 		...
> 		recursion yes;
> 		allow-query { localnets; };
> 		...
> 	};
> 	
> 	# for every zone
> 	zone ... {
> 		allow-query { any; };
> 	};

Unfortunately, I tried to do this a while back and it breaks CNAME's to
external sites.  For example, on the master for example.com, I have
entries:

  example.com.		IN	A	10.214.26.16
  www.example.com.	IN	CNAME	example.com.
  whois.example.com.	IN	CNAME	whois.internic.net.

With a config:

	options
	{
		allow-query
		{
			localhost;
			localnets;
		};
		allow-recursion
		{
			localhost;
			localnets;
		};
	...
	};

	zone "example.com"
	{
		type master;
		allow-query
		{
			any;
		};
		file "master/example.com";
	};

Attempts from a non-"localnets" client to lookup www.example.com work
fine because the CNAME points to a zone that is locally served:

  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50669
  ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

  ;; QUESTION SECTION:
  ;www.example.com.              IN      A

  ;; ANSWER SECTION:
  www.example.com.       21600   IN      CNAME   example.com.
  example.com.           21600   IN      A       10.214.26.17


However, lookups for whois.example.com fail with "REFUSED":

  ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 30393
  ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

  ;; QUESTION SECTION:
  ;whois.example.com.            IN      A


If I set the global allow-query to any (thereby allowing the world to
use my server), I get what I would hope for in the previous case:

  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38745
  ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

  ;; QUESTION SECTION:
  ;whois.example.com.            IN      A

  ;; ANSWER SECTION:
  whois.example.com.     21600   IN      CNAME   whois.internic.net.

I'm assuming that the client would then do it's own lookup for
whois.internic.net after getting just the CNAME returned.

Is this a bug in the allow-query checking or am I missing something in
my settings?  I am running 9.3.2 in case it matters.

More information about the bind-workers mailing list