open recursion/cache problem

Mark Andrews Mark_Andrews at isc.org
Tue Aug 29 23:33:51 UTC 2006 

> Stefan Schmidt wrote:
> > On Tue, Aug 29, 2006 at 12:31:10PM +0100, Chris Thompson wrote:
> >   
> >>> He asked to specifically limit recursive queries to his IP space as he
> >>> also has zones he is authorative for that need to get served - so he
> >>> cannot just block all queries recursive or otherwise.
> >>>       
> >> That's _why_ Barry said
> >>
> >>   Then in all the public zone definitions, add "allow-query{any;};"
> >>
> >> Specifying allow-query in a zone statement overrides the value in the 
> >> options statement, for queries for records within that zone.
> >>     
> >
> > Right, i misread him then.
> > I separated authorative and recursive nameservers long ago - which is what
> > i would strongly recommend doing if you have more than just a few zones
> > to manage btw. - so i forgot about the following:
> >
> > allow-recursion
> >     Specifies which hosts are allowed to make recursive queries through
> >     this server. If not specified, the default is to allow recursive
> >     queries from all hosts. Note that disallowing recursive queries
> >     for a host does not prevent the host from retrieving data that is
> >     already in the server's cache. 
> >
> > For Jeffreys setup this means that clients not listed in allow-recursion
> > will not be able to trigger named to issue any recursive action but
> > will be shown the contents of what it already cached which we might call
> > minor information leakage.
> >
> > IMO there should be an option that prevents non-authorative zones from
> > beeing queried. This way the above would become more clear.
> > Say allow-recursive-clients-from or something similar.
> >
> >   
> BIND 9.4.0 has "allow-query-cache" (from CHANGES):
> 
>     New option "allow-query-cache". This lets allow-query be
>     used to specify the default zone access level rather than
>     having to have every zone override the global value.
>     allow-query-cache can be set at both the options and view
>     levels. If allow-query-cache is not set allow-query applies.
> 
> 					- Kevin

	Which is further modified by.

2006.   [security]      Allow-query-cache and allow-recursion now default
                        to the builtin acls "localnets" and "localhost".

                        This is being done to make caching servers less
                        attractive as reflective amplifying targets for
                        spoofed traffic.  This still leave authoritative
                        servers exposed.

                        The best fix is for full BCP 38 deployment to
                        remove spoofed traffic.

	localnets should be a superset of localhost but some on some
	platforms we can't get a IPv6 prefix length to set localnets.
--
ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP.  Email training at isc.org.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list