BIND 9.5 issue

Tue Jul 29 11:36:04 UTC 2008

> > On Sun, 27 Jul 2008, Stuart wrote:
> > > I've notice at least one major difference in behavior, and I'm
> > > wondering if this is something related to bind 9.5.0. I have my
> > > C-class network divided into a few subnets. After up grading my DNS
> > > server, I noticed that it stopped serving DNS to hosts on different
> > > subnets (and no, this is not a firewall issue).
> >
> > > I was able to fix it but..

> On Jul 28, 9:03 am, "Jeremy C. Reed" <Jeremy_R... at isc.org> wrote:
> > How did you fix it?

On 28.07.08 13:41, Stuart wrote:
> By adding:
> 
>         allow-query { 140.90.675/24; };
> 
> into the options.

yes, BIND is already not open for everyone by default.

> > > Does bind 9.5.0 pay attention to the netmask or something?
> >
> > Yes, to define "localnets".
> >
> > You probably hit documented change with allow-query-cache. See about that
> > in the doc/misc/migration documentation, the ARM, and the README.
> 
> I'll be sure to read that. Looks like I figured it out the hard way.

the default for allow-recursion changed from all hosts in 9.3 to localhost
and localnet in 9.4. It's mentioned in CHANGES:

2006.   [security]      Allow-query-cache and allow-recursion now default
                        to the built in acls "localnets" and "localhost".

                        This is being done to make caching servers less
                        attractive as reflective amplifying targets for
                        spoofed traffic.  This still leave authoritative
                        servers exposed.

                        The best fix is for full BCP 38 deployment to
                        remove spoofed traffic.

IT's also mentioned on web: http://www.isc.org/sw/bind/bind-security.php

(I couldn't find concrete URL because ISC web page excessively uses
javascript, so none of links or "view source" helped me)

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.