Advisory Notice for Bind Default Configuration and Reflector Attacks

Mark Andrews Mark_Andrews at isc.org
Fri Mar 24 13:59:29 UTC 2006 

> > or you'll have to set up a multilevel config file as follows:
> > 
> > 	# global settings
> > 	options {
> > 		...
> > 		recursion yes;
> > 		allow-query { localnets; };
> > 		...
> > 	};
> > 	
> > 	# for every zone
> > 	zone ... {
> > 		allow-query { any; };
> > 	};
> 
> Unfortunately, I tried to do this a while back and it breaks CNAME's to
> external sites.  For example, on the master for example.com, I have
> entries:
> 
>   example.com.		IN	A	10.214.26.16
>   www.example.com.	IN	CNAME	example.com.
>   whois.example.com.	IN	CNAME	whois.internic.net.
> 
> With a config:
> 
> 	options
> 	{
> 		allow-query
> 		{
> 			localhost;
> 			localnets;
> 		};
> 		allow-recursion
> 		{
> 			localhost;
> 			localnets;
> 		};
> 	...
> 	};
> 
> 	zone "example.com"
> 	{
> 		type master;
> 		allow-query
> 		{
> 			any;
> 		};
> 		file "master/example.com";
> 	};
> 
> Attempts from a non-"localnets" client to lookup www.example.com work
> fine because the CNAME points to a zone that is locally served:
> 
>   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50669
>   ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
> 
>   ;; QUESTION SECTION:
>   ;www.example.com.              IN      A
> 
>   ;; ANSWER SECTION:
>   www.example.com.       21600   IN      CNAME   example.com.
>   example.com.           21600   IN      A       10.214.26.17
> 
> 
> However, lookups for whois.example.com fail with "REFUSED":
> 
>   ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 30393
>   ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
>   ;; QUESTION SECTION:
>   ;whois.example.com.            IN      A

	Test with "+norec".  That is the way iterative resolvers work.
	REFUSED is what you want for recursive queries.
 
> If I set the global allow-query to any (thereby allowing the world to
> use my server), I get what I would hope for in the previous case:
> 
>   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38745
>   ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
> 
>   ;; QUESTION SECTION:
>   ;whois.example.com.            IN      A
> 
>   ;; ANSWER SECTION:
>   whois.example.com.     21600   IN      CNAME   whois.internic.net.
> 
> I'm assuming that the client would then do it's own lookup for
> whois.internic.net after getting just the CNAME returned.
> 
> Is this a bug in the allow-query checking or am I missing something in
> my settings?  I am running 9.3.2 in case it matters.
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-workers mailing list