Sub-domain RR leakage?
Tom Jennings
tomj at wps.com
Tue Jul 18 17:03:01 UTC 2000
We have a web-based site with a many hosts in RFC1918 space, all
in sub-domains, and one public second-level domain containing our
public hosts. Most of the subdomains are on a few internal
nameservers (with 10.* addresses) and aren't a problem.
Our "external" nameserver ns1.foo.com (domain names changed to
protect the guilty) is primary for our top (2nd-level) domain;
primary for one subdomain; and secondaries various other sub-domains
(see CHART). ns1.foo.com is our enterprise-wide nameserver, as it
knows all inside and outside data. It runs 8.2.2-p5 and listens on
its one interface (has a static in its firewall).
Queries and transfers of the various domains are strictly limited
by BIND ACLs and I verified this carefully.
The problem is this: BIND is including RR data from sub-domains in
zone-transfers of the top domain. The primary zone file FOO.COM
contains NO references to ANY subdomain, yet named-xfer includes
data from all subdomains in the transfer to a secondary. I ran
named-xfer manually and verified this. And of course since the
secondares doesn't have my ACLs, queries for subdomain data against
secondaries returns RRs containing 10.* addresses.
Tell me it ain't so. I assume this is a screwup of mine (I can fix
those easily). Any ideas? HALP!
tomj
CHART:
who can who can
zone auth axfr? query?
foo.com primary one ISP NS ANY
SUB1.foo.com primary two int. NS 10/8
sub2.foo.com secondary none 10/8
sub3.foo.com secondary none 10/8
-----------------------------------------------------------------------
ZONE foo.com ON PRIMARY: (condensed)
$ORIGIN foo.com.
@ in SOA foo.com. networking.foo.com. (
; yyyymmddnn
2000071302 ; serial
15m ; refresh ((((just changed NS's!))))
5m ; retry ((((have mercy!))))
30d ; expiry
1d ; minimum
)
in ns ns1.foo.com.
in ns ns2.foo.com.
((((A RRs follow))))
-----------------------------------------------------------------------
ZONE foo.com ON SECONDARY AFTER AXFR: (condensed)
; BIND version named 8.2.2-P5 Mon Feb 28 10:17:53 EST 2000
; BIND version root at porky.devel.redhat.com:/usr/src/bs/BUILD/bind-8.2.2_P5/src/bin/named
; zone 'foo.com' last serial 2000071301
; from 10.4.0.13:53 (local 10.8.0.3) using AXFR at Thu Jul 13 13:53:11 2000
$ORIGIN com.
foo 86400 IN SOA foo.com. networking.foo.com. (
2000071302 900 300 2592000 86400 )
86400 IN NS ns1.foo.com.
86400 IN NS ns2.foo.com.
86400 IN NS ((((ISP nameserver))))
86400 IN NS ((((ISP nameserver))))
$ORIGIN foo.com.
(((( the correct A RRs for this domain here))))
((((Leaked data follows this point))))
SUB1 3600 IN NS ns2.SUB1.foo.com.
$ORIGIN SUB1.foo.com.
((((A RRs here))))
ns2 86400 IN A 10.8.0.3
$ORIGIN foo.com.
((((A RRs here))))
sub2 3600 IN NS ns.sub2.foo.com.
$ORIGIN sub2.foo.com.
((((A RRs here))))
ns 3600 IN A 10.1.100.1
$ORIGIN foo.com.
((((A RRs here))))
sub2 3600 IN NS ns2.sub2.foo.com.
...
...
...
-----------------------------------------------------------------------
NAMED.CONF: (condensed)
options {
/* By default, allow inside users to query, only. */
allow-query {
127/8; 10/8; 192.168/16;
};
also-notify {
10.8.0.3; 10.1.100.1; 10.5.100.1;
};
/* By default, only internal nameservers can axfr */
allow-transfer {
127.0.0.1;
10.4.0.13; 10.8.0.3;
10.1.100.1; 10.5.100.1;
};
}
zone "foo.com" {
type master;
file "foo.com";
allow-query { ANY; }; /* this domain is public */
allow-transfer {
127.0.0.1;
64.209.167.75; 64.41.147.13;
(((( ISP nameservers ))))
};
};
/* We primary this sub-domain */
zone "SUB1.foo.com" {
type master;
file "SUB1.foo.com";
};
/* We secondary N of these sub-domains */
zone "sub2.foo.com" {
type slave;
file "secondary/sub2.foo.com";
masters { 10.1.100.1; 10.5.100.1; };
};
---
INFORMATION GLADLY GIVEN BUT SAFETY REQUIRES AVOIDING UNNECESSARY CONVERSATION
More information about the bind-users
mailing list