should denials by allow-query set RA bit ?

Danny Thomas d.thomas at its.uq.edu.au
Thu Jul 20 06:10:46 UTC 2006 

a person at UQ recently ran dnsreport against a zone on our name-servers
  http://www.dnsreport.com/tools/dnsreport.ch?domain=auscert.org.au

and were concerned that a RED result (Fail) for "Open DNS servers"
 |  ERROR: One or more of your nameservers reports that it is an open DNS 
 |  server. This usually means that anyone in the world can query it for 
 |  domains it is not authoritative for (it is possible that the DNS server
 |  advertises that it does recursive lookups when it does not, but that
 |  shouldn't happen).  This can cause an excessive load on your DNS server.
 |  Also, it is strongly discouraged to have a DNS server be both authori-
 |  tative for your domain and be recursive (even if it is not open), due to
 |  the potential for cache poisoning (with no recursion, there is no cache,
 |  and it is impossible to poison it). Also, the bad guys could use your DNS
 |  server as part of an attack, by forging their IP address.
 |  Problem record(s) are:
 |    Server 130.102.128.53 reports that it will do recursive lookups. [test]
 |    Server 130.102.2.53 reports that it will do recursive lookups. [test]

NB clicking on the "test" link does produce a failure, though I think
   that reporting a RED condition on the basis of RA being set is a
   bit exuberant

UQ's name-servers have been configured for the past 6 years to deny
resolving queries from outside our local address-space, and this is done
with allow-query
    # recent addition for testing
    acl treated_as_external {                 
        130.102.128.23;     
    };
    acl can_do_resolving_queries {            
        ! treated_as_external;   
        localhost;
        uq_academic;
        ...
    };
    allow-query { 
        # [DMT 04-Jun-2005] change to can_do_resolving_queries
        can_do_resolving_queries;
    };
and an "allow-query any" used in each zone, i.e. so we allow anyone access
to the records for which the name-server is authoritative
    zone "uq.edu.au" {
        type master;
        file "master/uq.edu.au.zone";
        allow-query { any; };
    }

The advantage of allow-query over allow-recursion is that external queries
are REFUSED, even those which could be answered from the cache.

If allow-query is designed as a functional superset of allow-recursion,
I suspect the behaviour in responding to a query with REFUSED and RA set
is questionable. This changes to REFUSED without RA when the following
was added (see results below)
    allow-recursion {
        can_do_resolving_queries;
    };

from rfc1035 (I don't know whether there's been any changes since)
 RA  Recursion Available - this be is set or cleared in a response, and
 denotes whether recursive query support is available in the name server.


Do other people question this behaviour of bind, at least up till 9.3.2 ?

Danny



There is the separate issue that by returning any packet, our name-servers
are a potential reflector, albeit not an amplifying reflector.

Customizing bind would be easier if a tightly-integrated scripting language
option was available, similar to apache with mod-perl. But I suspect it
would be too easy to produce bad behaviour even for reasonably clueful people.



# WITH JUST ALLOW-QUERY IN CONFIG
# ========================================================================
# looking up a cached record

# external query refused, but with RA set
dig -b130.102.128.23 www.apple.com any

; <<>> DiG 9.3.2-UQ <<>> -b130.102.128.23 www.apple.com any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46687
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.apple.com.                 IN      ANY

;; Query time: 1 msec
;; SERVER: 130.102.128.43#53(130.102.128.43)
;; WHEN: Thu Jul 20 10:04:34 2006
;; MSG SIZE  rcvd: 31



# internal query allowed with RA set
dig www.apple.com any

; <<>> DiG 9.3.2-UQ <<>> www.apple.com any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23147
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6

;; QUESTION SECTION:
;www.apple.com.                 IN      ANY

;; ANSWER SECTION:
www.apple.com.          502     IN      CNAME   www.apple.com.akadns.net.

;; AUTHORITY SECTION:
apple.com.              142562  IN      NS      nserver2.apple.com.
apple.com.              142562  IN      NS      nserver3.apple.com.
apple.com.              142562  IN      NS      nserver4.apple.com.
apple.com.              142562  IN      NS      nserver.asia.apple.com.
apple.com.              142562  IN      NS      nserver.euro.apple.com.
apple.com.              142562  IN      NS      nserver.apple.com.

;; ADDITIONAL SECTION:
nserver.asia.apple.com. 2302    IN      A       203.120.14.5
nserver.euro.apple.com. 13696   IN      A       17.72.133.64
nserver.apple.com.      340176  IN      A       17.254.0.50
nserver2.apple.com.     340176  IN      A       17.254.0.59
nserver3.apple.com.     81431   IN      A       17.112.144.50
nserver4.apple.com.     81431   IN      A       17.112.144.59

;; Query time: 2 msec
;; SERVER: 130.102.128.43#53(130.102.128.43)
;; WHEN: Thu Jul 20 10:04:54 2006
;; MSG SIZE  rcvd: 310



# AFTER ADDING ALLOW-RECURSION TO CONFIG
# ========================================================================

# external query REFUSED but now without RA
dig -b130.102.128.23 www.apple.com any

; <<>> DiG 9.3.2-UQ <<>> -b130.102.128.23 www.apple.com any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 57759
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.apple.com.                 IN      ANY

;; Query time: 1 msec
;; SERVER: 130.102.128.43#53(130.102.128.43)
;; WHEN: Thu Jul 20 10:08:01 2006
;; MSG SIZE  rcvd: 31


# internal query allowed with RA set
dig www.apple.com any

; <<>> DiG 9.3.2-UQ <<>> www.apple.com any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48457
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6

;; QUESTION SECTION:
;www.apple.com.                 IN      ANY

;; ANSWER SECTION:
www.apple.com.          311     IN      CNAME   www.apple.com.akadns.net.

;; AUTHORITY SECTION:
apple.com.              142371  IN      NS      nserver2.apple.com.
apple.com.              142371  IN      NS      nserver3.apple.com.
apple.com.              142371  IN      NS      nserver4.apple.com.
apple.com.              142371  IN      NS      nserver.asia.apple.com.
apple.com.              142371  IN      NS      nserver.euro.apple.com.
apple.com.              142371  IN      NS      nserver.apple.com.

;; ADDITIONAL SECTION:
nserver.asia.apple.com. 2111    IN      A       203.120.14.5
nserver.euro.apple.com. 13505   IN      A       17.72.133.64
nserver.apple.com.      339985  IN      A       17.254.0.50
nserver2.apple.com.     339985  IN      A       17.254.0.59
nserver3.apple.com.     81240   IN      A       17.112.144.50
nserver4.apple.com.     81240   IN      A       17.112.144.59

;; Query time: 2 msec
;; SERVER: 130.102.128.43#53(130.102.128.43)
;; WHEN: Thu Jul 20 10:08:05 2006
;; MSG SIZE  rcvd: 310



-- 
   d.thomas at its.uq.edu.au    Danny Thomas,                                    
          +61-7-3365-8221    Software Infrastructure,
 http://www.its.uq.edu.au    ITS, The University of Queensland

More information about the bind-users mailing list