Your message dated Tue, 6 Nov 2007 21:22:04 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#393003: bind9: don't allow recursion by default (for
untrusted networks)
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: bind9
Version: 1:9.3.2-P1-2
Severity: wishlist
Tags: patch
Hi,
By default the bind9 server shipped as part of Debian allow DNS
recursion for any client who happens to contact it. I have been, and
likely others have as well, subjected to DoS attacks via DNS recursion
(there are plenty of references to it).
Anyway it would be good to fix this for Debian users.
The way to do this is by having two views, an internal and an external
one. For the internal view, you use an ACL to determine who can and who
can not.
Attached is an initial named.conf.acls file and a diff to named.conf to
make this all happen.
All of this information was gleaned from:
http://www.cymru.com/Documents/secure-bind-template.html
Thanks,
Anand
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (650, 'testing'), (600, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-686
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Versions of packages bind9 depends on:
ii adduser 3.97 Add and remove users and groups
ii libbind9-0 1:9.3.2-P1-2 BIND9 Shared Library used by BIND
ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries
ii libdns21 1:9.3.2-P1-2 DNS Shared Library used by BIND
ii libisc11 1:9.3.2-P1-2 ISC Shared Library used by BIND
ii libisccc0 1:9.3.2-P1-2 Command Channel Library used by BI
ii libisccfg1 1:9.3.2-P1-2 Config File Handling Library used
ii liblwres9 1:9.3.2-P1-2 Lightweight Resolver Library used
ii libssl0.9.8 0.9.8c-3 SSL shared libraries
ii lsb-base 3.1-15 Linux Standard Base 3.1 init scrip
ii netbase 4.25 Basic TCP/IP networking system
bind9 recommends no packages.
-- no debconf information
--- named.conf.orig 2006-10-15 01:49:36.000000000 +1000
+++ named.conf 2006-10-15 01:54:54.000000000 +1000
@@ -6,48 +6,81 @@
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
-include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.acls";
-// prime the server with knowledge of the root servers
-zone "." {
- type hint;
- file "/etc/bind/db.root";
-};
+include "/etc/bind/named.conf.options";
-// be authoritative for the localhost forward and reverse zones, and for
-// broadcast zones as per RFC 1912
+view "internal" in {
+ // Our internal (trusted) view. We permit the internal networks
+ // to freely access this view. We perform recursion for our
+ // internal hosts, and retrieve data from the cache for them.
+
+ match-clients { trusted; };
+ recursion yes;
+ additional-from-auth yes;
+ additional-from-cache yes;
+
+ // prime the server with knowledge of the root servers
+ zone "." {
+ type hint;
+ file "/etc/bind/db.root";
+ };
+
+ // be authoritative for the localhost forward and reverse zones, and for
+ // broadcast zones as per RFC 1912
+
+ zone "localhost" {
+ type master;
+ file "/etc/bind/db.local";
+ };
+
+ zone "127.in-addr.arpa" {
+ type master;
+ file "/etc/bind/db.127";
+ };
+
+ zone "0.in-addr.arpa" {
+ type master;
+ file "/etc/bind/db.0";
+ };
+
+ zone "255.in-addr.arpa" {
+ type master;
+ file "/etc/bind/db.255";
+ };
+
+ // zone "com" { type delegation-only; };
+ // zone "net" { type delegation-only; };
+
+ // From the release notes:
+ // Because many of our users are uncomfortable receiving undelegated answers
+ // from root or top level domains, other than a few for whom that behaviour
+ // has been trusted and expected for quite some length of time, we have now
+ // introduced the "root-delegations-only" feature which applies delegation-only
+ // logic to all top level domains, and to the root domain. An exception list
+ // should be specified, including "MUSEUM" and "DE", and any other top level
+ // domains from whom undelegated responses are expected and trusted.
+ // root-delegation-only exclude { "DE"; "MUSEUM"; };
-zone "localhost" {
- type master;
- file "/etc/bind/db.local";
-};
+ include "/etc/bind/named.conf.local";
-zone "127.in-addr.arpa" {
- type master;
- file "/etc/bind/db.127";
};
-zone "0.in-addr.arpa" {
- type master;
- file "/etc/bind/db.0";
-};
+view "external" in {
+ // Our external (untrusted) view. We permit any client to access
+ // portions of this view. We do not perform recursion or cache
+ // access for hosts using this view.
+
+ match-clients { any; };
+ recursion no;
+ additional-from-auth no;
+ additional-from-cache no;
+
+ // prime the server with knowledge of the root servers
+ zone "." {
+ type hint;
+ file "/etc/bind/db.root";
+ };
-zone "255.in-addr.arpa" {
- type master;
- file "/etc/bind/db.255";
+ include "/etc/bind/named.conf.local";
};
-
-// zone "com" { type delegation-only; };
-// zone "net" { type delegation-only; };
-
-// From the release notes:
-// Because many of our users are uncomfortable receiving undelegated answers
-// from root or top level domains, other than a few for whom that behaviour
-// has been trusted and expected for quite some length of time, we have now
-// introduced the "root-delegations-only" feature which applies delegation-only
-// logic to all top level domains, and to the root domain. An exception list
-// should be specified, including "MUSEUM" and "DE", and any other top level
-// domains from whom undelegated responses are expected and trusted.
-// root-delegation-only exclude { "DE"; "MUSEUM"; };
-
-include "/etc/bind/named.conf.local";
acl "trusted" {
// Place our internal and DMZ subnets in here so that
// intranet and DMZ clients may send DNS queries. This
// also prevents outside hosts from using our name server
// as a resolver for other domains.
localhost;
// If you are using any of these RFC3330 addresses you should
// uncomment these and specify the range more precisely
//10.0.0.0/8
//172.16.0.0/12
//192.168.0.0/16
};
--- End Message ---
--- Begin Message ---
Version: 1:9.4.0-1
Fixed in 9.4.0 upstream.
lamont
--- End Message ---
