Differences between 9.3 and later versions

[Matus UHLAR - fantomas]

On 23.02.10 09:53, jcarroll65 at cfl.rr.com wrote:
> Due to an security audit I have been given the task of upgrading our BIND
> from 9.3 to a new version (9.7 is preferred). Using the package from
> sunfreeware.com (Solaris 10/X86) the upgrade seem to work well. However,
> whenever someone tries to nslookup (or dig) an external site (i.e.
> cnn.com) they get REFUSED. If I back down to the 9.3 version all is well.
> I've tried to find what new security feature is required, but alas I can't
> seem to get it. What changes affect resolving outside sites?

since 9.4, the allow-query-cache was introduced, which controls if
non-recursive clients may fetch your cache content. Until then, clients who
were allowed to query might see your cache, which was lowering the effect of
disabling recursion to them.

the allow-euery-cache and allow-recursion cross-inherit each other - if
only one is set, the other one is assumed to be the same.

This means that you don't have to disable anyone from querying your server
and then enable querying local zones to prevent them from using server as 
semi-recursive.

since 9.5, the default for allow-recursion is { localhost; localnets; }; 
previous versions used iirc { all; }; - if you didn't have recursion
enabled, you may need to do so now. Note that enabling recursion to anyone
is security risk.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.