should denials by allow-query set RA bit ?
Danny Thomas
d.thomas at its.uq.edu.au
Thu Jul 20 06:10:46 UTC 2006
a person at UQ recently ran dnsreport against a zone on our name-servers
http://www.dnsreport.com/tools/dnsreport.ch?domain=auscert.org.au
and were concerned that a RED result (Fail) for "Open DNS servers"
| ERROR: One or more of your nameservers reports that it is an open DNS
| server. This usually means that anyone in the world can query it for
| domains it is not authoritative for (it is possible that the DNS server
| advertises that it does recursive lookups when it does not, but that
| shouldn't happen). This can cause an excessive load on your DNS server.
| Also, it is strongly discouraged to have a DNS server be both authori-
| tative for your domain and be recursive (even if it is not open), due to
| the potential for cache poisoning (with no recursion, there is no cache,
| and it is impossible to poison it). Also, the bad guys could use your DNS
| server as part of an attack, by forging their IP address.
| Problem record(s) are:
| Server 130.102.128.53 reports that it will do recursive lookups. [test]
| Server 130.102.2.53 reports that it will do recursive lookups. [test]
NB clicking on the "test" link does produce a failure, though I think
that reporting a RED condition on the basis of RA being set is a
bit exuberant
UQ's name-servers have been configured for the past 6 years to deny
resolving queries from outside our local address-space, and this is done
with allow-query
# recent addition for testing
acl treated_as_external {
130.102.128.23;
};
acl can_do_resolving_queries {
! treated_as_external;
localhost;
uq_academic;
...
};
allow-query {
# [DMT 04-Jun-2005] change to can_do_resolving_queries
can_do_resolving_queries;
};
and an "allow-query any" used in each zone, i.e. so we allow anyone access
to the records for which the name-server is authoritative
zone "uq.edu.au" {
type master;
file "master/uq.edu.au.zone";
allow-query { any; };
}
The advantage of allow-query over allow-recursion is that external queries
are REFUSED, even those which could be answered from the cache.
If allow-query is designed as a functional superset of allow-recursion,
I suspect the behaviour in responding to a query with REFUSED and RA set
is questionable. This changes to REFUSED without RA when the following
was added (see results below)
allow-recursion {
can_do_resolving_queries;
};
from rfc1035 (I don't know whether there's been any changes since)
RA Recursion Available - this be is set or cleared in a response, and
denotes whether recursive query support is available in the name server.
Do other people question this behaviour of bind, at least up till 9.3.2 ?
Danny
There is the separate issue that by returning any packet, our name-servers
are a potential reflector, albeit not an amplifying reflector.
Customizing bind would be easier if a tightly-integrated scripting language
option was available, similar to apache with mod-perl. But I suspect it
would be too easy to produce bad behaviour even for reasonably clueful people.
# WITH JUST ALLOW-QUERY IN CONFIG
# ========================================================================
# looking up a cached record
# external query refused, but with RA set
dig -b130.102.128.23 www.apple.com any
; <<>> DiG 9.3.2-UQ <<>> -b130.102.128.23 www.apple.com any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46687
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.apple.com. IN ANY
;; Query time: 1 msec
;; SERVER: 130.102.128.43#53(130.102.128.43)
;; WHEN: Thu Jul 20 10:04:34 2006
;; MSG SIZE rcvd: 31
# internal query allowed with RA set
dig www.apple.com any
; <<>> DiG 9.3.2-UQ <<>> www.apple.com any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23147
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; QUESTION SECTION:
;www.apple.com. IN ANY
;; ANSWER SECTION:
www.apple.com. 502 IN CNAME www.apple.com.akadns.net.
;; AUTHORITY SECTION:
apple.com. 142562 IN NS nserver2.apple.com.
apple.com. 142562 IN NS nserver3.apple.com.
apple.com. 142562 IN NS nserver4.apple.com.
apple.com. 142562 IN NS nserver.asia.apple.com.
apple.com. 142562 IN NS nserver.euro.apple.com.
apple.com. 142562 IN NS nserver.apple.com.
;; ADDITIONAL SECTION:
nserver.asia.apple.com. 2302 IN A 203.120.14.5
nserver.euro.apple.com. 13696 IN A 17.72.133.64
nserver.apple.com. 340176 IN A 17.254.0.50
nserver2.apple.com. 340176 IN A 17.254.0.59
nserver3.apple.com. 81431 IN A 17.112.144.50
nserver4.apple.com. 81431 IN A 17.112.144.59
;; Query time: 2 msec
;; SERVER: 130.102.128.43#53(130.102.128.43)
;; WHEN: Thu Jul 20 10:04:54 2006
;; MSG SIZE rcvd: 310
# AFTER ADDING ALLOW-RECURSION TO CONFIG
# ========================================================================
# external query REFUSED but now without RA
dig -b130.102.128.23 www.apple.com any
; <<>> DiG 9.3.2-UQ <<>> -b130.102.128.23 www.apple.com any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 57759
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.apple.com. IN ANY
;; Query time: 1 msec
;; SERVER: 130.102.128.43#53(130.102.128.43)
;; WHEN: Thu Jul 20 10:08:01 2006
;; MSG SIZE rcvd: 31
# internal query allowed with RA set
dig www.apple.com any
; <<>> DiG 9.3.2-UQ <<>> www.apple.com any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48457
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6
;; QUESTION SECTION:
;www.apple.com. IN ANY
;; ANSWER SECTION:
www.apple.com. 311 IN CNAME www.apple.com.akadns.net.
;; AUTHORITY SECTION:
apple.com. 142371 IN NS nserver2.apple.com.
apple.com. 142371 IN NS nserver3.apple.com.
apple.com. 142371 IN NS nserver4.apple.com.
apple.com. 142371 IN NS nserver.asia.apple.com.
apple.com. 142371 IN NS nserver.euro.apple.com.
apple.com. 142371 IN NS nserver.apple.com.
;; ADDITIONAL SECTION:
nserver.asia.apple.com. 2111 IN A 203.120.14.5
nserver.euro.apple.com. 13505 IN A 17.72.133.64
nserver.apple.com. 339985 IN A 17.254.0.50
nserver2.apple.com. 339985 IN A 17.254.0.59
nserver3.apple.com. 81240 IN A 17.112.144.50
nserver4.apple.com. 81240 IN A 17.112.144.59
;; Query time: 2 msec
;; SERVER: 130.102.128.43#53(130.102.128.43)
;; WHEN: Thu Jul 20 10:08:05 2006
;; MSG SIZE rcvd: 310
--
d.thomas at its.uq.edu.au Danny Thomas,
+61-7-3365-8221 Software Infrastructure,
http://www.its.uq.edu.au ITS, The University of Queensland
More information about the bind-users
mailing list