BIND 9.5 issue
Matus UHLAR - fantomas
uhlar at fantomas.sk
Tue Jul 29 11:36:04 UTC 2008
> > On Sun, 27 Jul 2008, Stuart wrote:
> > > I've notice at least one major difference in behavior, and I'm
> > > wondering if this is something related to bind 9.5.0. I have my
> > > C-class network divided into a few subnets. After up grading my DNS
> > > server, I noticed that it stopped serving DNS to hosts on different
> > > subnets (and no, this is not a firewall issue).
> >
> > > I was able to fix it but..
> On Jul 28, 9:03 am, "Jeremy C. Reed" <Jeremy_R... at isc.org> wrote:
> > How did you fix it?
On 28.07.08 13:41, Stuart wrote:
> By adding:
>
> allow-query { 140.90.675/24; };
>
> into the options.
yes, BIND is already not open for everyone by default.
> > > Does bind 9.5.0 pay attention to the netmask or something?
> >
> > Yes, to define "localnets".
> >
> > You probably hit documented change with allow-query-cache. See about that
> > in the doc/misc/migration documentation, the ARM, and the README.
>
> I'll be sure to read that. Looks like I figured it out the hard way.
the default for allow-recursion changed from all hosts in 9.3 to localhost
and localnet in 9.4. It's mentioned in CHANGES:
2006. [security] Allow-query-cache and allow-recursion now default
to the built in acls "localnets" and "localhost".
This is being done to make caching servers less
attractive as reflective amplifying targets for
spoofed traffic. This still leave authoritative
servers exposed.
The best fix is for full BCP 38 deployment to
remove spoofed traffic.
IT's also mentioned on web: http://www.isc.org/sw/bind/bind-security.php
(I couldn't find concrete URL because ISC web page excessively uses
javascript, so none of links or "view source" helped me)
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.
More information about the bind-users
mailing list