Bind 9 Security Issue
Kevin Darcy
kcd at daimlerchrysler.com
Wed Mar 6 19:34:57 UTC 2002
All of the log messages say "denied recursion", and all of the IP addresses
appear to be external. It looks like named is doing exactly what you've told it
to do, i.e. deny recursion to external clients. Could you clarify what you
think is wrong?
- Kevin
"Do, Ho cao (CIT)" wrote:
> Hello all,
>
> Our DNS system has experienced some unexpected security issues since we
> updated from 8.2.5REL to 9.2.0. The problem is that in the named.conf file
> we only allow our inside machines to do recursive queries. It was working
> fine with 8.2.5. However with 9.2.0, it seems to deny any query from
> outside our network. Please advice.
>
> Portion of reference in NAMED.CONF file
> --------------------------------------
> // generated by named-bootconf.pl
> acl "nih_secondary_dns" {
> {128.231.64.1;
> 130.14.35.128;
> 204.123.2.18;
> 204.123.2.19;
> 130.14.25.2;
> };
> };
>
> acl "nih_ip_addresses" {
> {128.231.0.0/16;
> 137.187.0.0/16;
> 156.40.0.0/16;
> 165.112.0.0/16;
> 129.43.0.0/16;
> 199.249.158.0/24;
> 157.98.0.0/16;
> 130.14.0.0/16;
> 131.158.140.0/24;
> 131.158.81.0/24;
> 131.158.67.0/24;
> 131.158.67.113;
> 150.148.112/23;
> 150.148.218/23;
> 192.168.0.0/16;
> 205.128.154.0/24;
> };
> };
>
> options {
>
> allow-recursion { "nih_ip_addresses"; };
>
> recursive-clients 10000;
>
> directory "/etc/namedb";
>
> allow-transfer
> { "nih_secondary_dns";
> "nih_ip_addresses";
> };
>
> };
>
> --------------------------------------------
> Portion of the security.log
> --------------------------------------------
> denied recursion for query from [12.43.96.2].57202 for
> 135.66.142.146.in-addr.arpa IN
> denied recursion for query from [199.159.244.52].3730 for po.nrcs.usda.gov
> IN
> denied recursion for query from [65.165.89.127].1100 for od6011-p1.mris.com
> IN
> denied recursion for query from [131.158.21.110].3110 for a188.g.akamai.net
> IN
> denied recursion for query from [131.158.21.110].3112 for a188.g.akamai.net
> IN
> denied recursion for query from [208.209.39.37].41780 for
> 1.162.136.198.in-addr.arpa IN
> denied recursion for query from [32.97.140.109].5527 for
> 24.4.142.146.in-addr.arpa IN
> denied recursion for query from [207.197.254.27].2544 for yahoo.com IN
> denied recursion for query from [134.174.20.16].4990 for www.bls.gov IN
> denied recursion for query from [207.197.254.27].2545 for
> mail.nih.gov.gatewayone.com IN
> denied recursion for query from [64.200.160.21].64084 for
> 24.4.142.146.in-addr.arpa IN
> denied recursion for query from [207.55.158.8].53 for
> 32.4.142.146.in-addr.arpa IN
> denied recursion for query from [131.158.175.196].4477 for
> www.apple.com.akadns.net IN
> denied recursion for query from [128.252.120.1].60586 for nohic.aerie.com IN
> denied recursion for query from [216.185.192.2].53 for www.bls.gov IN
> denied recursion for query from [64.28.67.21].47050 for
> 69.47.142.146.in-addr.arpa IN
> denied recursion for query from [64.213.103.93].38431 for bls.gov IN
> denied recursion for query from [131.158.175.196].4523 for www.xerox.com IN
> denied recursion for query from [65.160.54.183].1361 for
> corporate.imgcorp.com IN
> denied recursion for query from [208.196.154.125].237 for stats.bls.gov IN
> denied recursion for query from [64.196.154.36].1160 for
> bis.180solutions.com IN
> denied recursion for query from [65.160.54.183].1366 for
> DDOMONKOS.corporate.imgcorp.com IN
> denied recursion for query from [66.44.45.222].1224 for pop.mail.rcn.net IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [63.161.59.66].53 for
> 32.4.142.146.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [131.158.175.194].49152 for
> 194.175.158.131.in-addr.arpa IN
> denied recursion for query from [129.252.51.13].1837 for www.bls.gov IN
> denied recursion for query from [65.165.89.127].1105 for od1h1.mris.com IN
> denied recursion for query from [67.97.212.2].53 for
> 32.4.142.146.in-addr.arpa IN
> ------------------------------------------
>
> I really appreciate of any reply.
>
> Sincerely,
>
> Ho
>
> Ho Cao Do
> NIH/CIT/DNST/CSS
> Federal Bldg., Room 4C10
> 7550 Wisconsin Ave.,
> Bethesda, MD 20892
> (301)435-1970 Voice
> (301)480-6041 Fax
> doh at mail.nih.gov
More information about the bind-users
mailing list