Advisory Notice for Bind Default Configuration and Reflector Attacks
Mark Andrews
Mark_Andrews at isc.org
Fri Mar 24 13:59:29 UTC 2006
> > or you'll have to set up a multilevel config file as follows:
> >
> > # global settings
> > options {
> > ...
> > recursion yes;
> > allow-query { localnets; };
> > ...
> > };
> >
> > # for every zone
> > zone ... {
> > allow-query { any; };
> > };
>
> Unfortunately, I tried to do this a while back and it breaks CNAME's to
> external sites. For example, on the master for example.com, I have
> entries:
>
> example.com. IN A 10.214.26.16
> www.example.com. IN CNAME example.com.
> whois.example.com. IN CNAME whois.internic.net.
>
> With a config:
>
> options
> {
> allow-query
> {
> localhost;
> localnets;
> };
> allow-recursion
> {
> localhost;
> localnets;
> };
> ...
> };
>
> zone "example.com"
> {
> type master;
> allow-query
> {
> any;
> };
> file "master/example.com";
> };
>
> Attempts from a non-"localnets" client to lookup www.example.com work
> fine because the CNAME points to a zone that is locally served:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50669
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.example.com. IN A
>
> ;; ANSWER SECTION:
> www.example.com. 21600 IN CNAME example.com.
> example.com. 21600 IN A 10.214.26.17
>
>
> However, lookups for whois.example.com fail with "REFUSED":
>
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 30393
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;whois.example.com. IN A
Test with "+norec". That is the way iterative resolvers work.
REFUSED is what you want for recursive queries.
> If I set the global allow-query to any (thereby allowing the world to
> use my server), I get what I would hope for in the previous case:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38745
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;whois.example.com. IN A
>
> ;; ANSWER SECTION:
> whois.example.com. 21600 IN CNAME whois.internic.net.
>
> I'm assuming that the client would then do it's own lookup for
> whois.internic.net after getting just the CNAME returned.
>
> Is this a bug in the allow-query checking or am I missing something in
> my settings? I am running 9.3.2 in case it matters.
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-workers
mailing list