[bind10-dev] when should we apply ACL in incoming request processing?

JINMEI Tatuya / 神明達哉 jinmei at isc.org
Fri Jun 24 18:32:50 UTC 2011 

I had a couple of things I was not sure about when I worked on #999
(b10-resolver ACL):

1. The default ACL
2. At which point in incoming request process we should apply the ACL

In the current code (now under review), the default is "accept ::1 and
127.0.0.1 and rejects others (returning REFUSED)".  This is probably
reasonable, especially because the default listen_on is also ::1 and
127.0.0.1.  (But if someone had a different opinion I'd appreciate
other suggestions)

I'm more uncertain about the second point.  The current implementation
applies the ACL after:
- parsing the incoming packet (which may result in FORMERR if the
  packet is broken in some specific ways),
- refusing unsupported opcode (anything other than normal query for
  the resolver) with NOTIMP (or NOTAUTH for notify), and
- refusing a query containing more than one question (with FORMERR)

So, for example, even if the administrator specifies an ACL rule that
drops/rejects queries from a specific IP address, the resolver still
performs the above checks and could return FORMERR, NOTIMP, etc.

This is compatible with BIND 9's behavior, but I guess administrators
would rather reject an unwanted packet before doing any deeper
inspection.  BIND 9 actually has a separate "blackhole" ACL, which is
applied before doing any protocol level processing, but the current
implementation of b10-resolver doesn't have an equivalent to that.

Note that simply applying ACL before doing anything may not really be
the best except for "blackhole"ing because we could return a REFUSED
response to a packet that may not even be a DNS message (but is
somehow delivered to the server).

Blackholing (in our current terminology, "DROP") may also be
suboptimal in that it could make the client repeat the query
unnecessarily.

So, what should we do?  Any opinions?

BTW, I've quickly looked at other implementations.  If I understand
them correctly:
- unbound applies ACL immediately after it receives an incoming
  message.  It could return REFUSED to non DNS packets (and if the
  packet is very short such as just one byte, some parts of the first
  four bytes could be a garbage)
- power DNS (recursor) also applies ACL immediately after it receives
  an incoming message.  It only silently drops unwanted packets (no
  REFUSED).  As commented above, this may not be ideal.

---
JINMEI, Tatuya

More information about the bind10-dev mailing list