Does BIND 9.3.2 have problems related to forwarding?
Peter Dambier
peter at peter-dambier.de
Wed May 24 11:27:51 UTC 2006
Eivind Olsen wrote:
> Hello.
>
> Does anyone know if BIND 9.3.2 has any bugs/issues related to forwarding?
> I have a DNS server where some zones are deliberately "hijacked" and
> told to query another server through the use of a pr. zone forwarder.
> This is done by declaring the zone to be of type forward, like this:
>
> zone "some.zone" {
> type forward;
> forwarders { 192.168.1.10; };
> };
>
> There is no forwarder-configuration set in the generic options-section,
> only on specific zones (pretty much like the example on p269 in "DNS and
> BIND, 4th edition" (Chapter 10, Forwarding).
>
> The options section looks like this:
> options {
> directory "/opt/named";
> pid-file "named.pid";
> allow-query { any; };
> allow-transfer { my_net; trusted_parties; };
> allow-recursion { my_net; };
> query-source address 213.187.177.3;
> tcp-clients 200;
> recursive-clients 2000;
> version "Semi-secret";
> };
>
> (the named.conf file begins by defining some ACLs, then TSIG-key +
> controls statement, then this options section, followed by definition
> for zone "." and "0.0.127.in-addr.arpa", and finally it uses INCLUDE to
> get the list of the zones which should be forwarded.
>
> So, to sum it up, the server is a recursive server doing normal DNS
> lookups on behalf of DNS clients, and on some zones it forwards the
> request to another server which gives a distinct answer back.
>
> Now, on to the problem. I've seen that some queries have been given
> incorrect replies - a zone which is NOT defined in the configuration has
> ended up with a reply as if it has been forwarded, which it should not.
> It just happens to some queries, but once it has happened, that
> information is cached.
>
> Has anyone seen any problems like this? Any suggestions on what the
> problem might be? I've given this a lot of thought and can't see where
> it could go wrong, except if there are bugs in BIND related to this. But
> I would very much like to be proven wrong on that.
I did have problems like this. The easiest way to reproduce it is to
use a different set of root-servers and watch when the root is overwritten.
I could never trace it. I got rid of it by slaving the zones that got
overwritten. It is nasty to do that on a cache only server but it gets
you rid of the problem. I have seen some ISPs doing exactly the same
with their resolvers.
>
> Oh, another thing. I've looked on the changes-file for BIND 9.4.0a5 and
> searched for forward-related things. I see the following entry, but
> I'm not really sure what the entry is about or if it could be related.
> Could someone perhaps shed some light on what this entry is about?
>
> "1961. [bug] Check the port and address of responses
> forwarded to dispatch. [RT #15474]"
>
It sounds like what Dan Bernstein asked the Bind devellopers
to do. So I guess, yes that is it. I am running 9.4.0a5 for some
days now, mostly as cache but slaving a couple of zones too. I did
not see any hijacking yet but my system does not serve too many
costumers.
Cheers
Peter and Karin Dambier
--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
More information about the bind-users
mailing list