Prev-20 Home Next-20 7 msg pre-reload zone check 8 msg How do I get named to not log events from certa... 1 msg Re: how to let other people know my hostname th... 3 msg Slave fails failover 3 msg SERVFAIL/FORMERR/EINVAL on AAAA query 2 msg bind server fail! 14 msg Question About Terminology 4 msg Some questions about Bind 2 msg rndc failure under heavy load 5 msg BIND 9.3.2 Memory Leak? 1 msg TTL of a CNAME longer than TTL of corresponding... 5 msg '@' entries and '' entries not transferring 6 msg Domain Name Forwarding 5 msg How to migrate bind to another IP block? 5 msg named strange error 4 msg Name resolution problems with IPv6? 4 msg zone reload queued? 3 msg silent failure zone transfert from BIND to wind... 1 msg Re: techjohnny should denials by allow-query set RA bit ? \ Danny Thomas (20 Jul 2006) Prev-20 Home Next-20

Prev-Msg Prev-Thread Bind-users Jul-2006 Next-Thread Next-Msg Subject: should denials by allow-query set RA bit ? Group: Bind-users From: Danny Thomas Date: 20 Jul 2006 a person at UQ recently ran dnsreport against a zone on our name-servers http://www.dnsreport.com/tools/dnsreport.ch?domain=auscert.org.au and were concerned that a RED result (Fail) for "Open DNS servers" | ERROR: One or more of your nameservers reports that it is an open DNS | server. This usually means that anyone in the world can query it for | domains it is not authoritative for (it is possible that the DNS server | advertises that it does recursive lookups when it does not, but that | shouldn't happen). This can cause an excessive load on your DNS server. | Also, it is strongly discouraged to have a DNS server be both authori- | tative for your domain and be recursive (even if it is not open), due to | the potential for cache poisoning (with no recursion, there is no cache, | and it is impossible to poison it). Also, the bad guys could use your DNS | server as part of an attack, by forging their IP address. | Problem record(s) are: | Server 130.102.128.53 reports that it will do recursive lookups. [test] | Server 130.102.2.53 reports that it will do recursive lookups. [test] NB clicking on the "test" link does produce a failure, though I think that reporting a RED condition on the basis of RA being set is a bit exuberant UQ's name-servers have been configured for the past 6 years to deny resolving queries from outside our local address-space, and this is done with allow-query # recent addition for testing acl treated_as_external { 130.102.128.23; }; acl can_do_resolving_queries { ! treated_as_external; localhost; uq_academic; ... }; allow-query { # [DMT 04-Jun-2005] change to can_do_resolving_queries can_do_resolving_queries; }; and an "allow-query any" used in each zone, i.e. so we allow anyone access to the records for which the name-server is authoritative zone "uq.edu.au" { type master; file "master/uq.edu.au.zone"; allow-query { any; }; } The advantage of allow-query over allow-recursion is that external queries are REFUSED, even those which could be answered from the cache. If allow-query is designed as a functional superset of allow-recursion, I suspect the behaviour in responding to a query with REFUSED and RA set is questionable. This changes to REFUSED without RA when the following was added (see results below) allow-recursion { can_do_resolving_queries; }; from rfc1035 (I don't know whether there's been any changes since) RA Recursion Available - this be is set or cleared in a response, and denotes whether recursive query support is available in the name server. Do other people question this behaviour of bind, at least up till 9.3.2 ? Danny There is the separate issue that by returning any packet, our name-servers are a potential reflector, albeit not an amplifying reflector. Customizing bind would be easier if a tightly-integrated scripting language option was available, similar to apache with mod-perl. But I suspect it would be too easy to produce bad behaviour even for reasonably clueful people. # WITH JUST ALLOW-QUERY IN CONFIG # ======================================================================== # looking up a cached record # external query refused, but with RA set dig -b130.102.128.23 www.apple.com any ; <<>> DiG 9.3.2-UQ <<>> -b130.102.128.23 www.apple.com any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46687 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.apple.com. IN ANY ;; Query time: 1 msec ;; SERVER: 130.102.128.43#53(130.102.128.43) ;; WHEN: Thu Jul 20 10:04:34 2006 ;; MSG SIZE rcvd: 31 # internal query allowed with RA set dig www.apple.com any ; <<>> DiG 9.3.2-UQ <<>> www.apple.com any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23147 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6 ;; QUESTION SECTION: ;www.apple.com. IN ANY ;; ANSWER SECTION: www.apple.com. 502 IN CNAME www.apple.com.akadns.net. ;; AUTHORITY SECTION: apple.com. 142562 IN NS nserver2.apple.com. apple.com. 142562 IN NS nserver3.apple.com. apple.com. 142562 IN NS nserver4.apple.com. apple.com. 142562 IN NS nserver.asia.apple.com. apple.com. 142562 IN NS nserver.euro.apple.com. apple.com. 142562 IN NS nserver.apple.com. ;; ADDITIONAL SECTION: nserver.asia.apple.com. 2302 IN A 203.120.14.5 nserver.euro.apple.com. 13696 IN A 17.72.133.64 nserver.apple.com. 340176 IN A 17.254.0.50 nserver2.apple.com. 340176 IN A 17.254.0.59 nserver3.apple.com. 81431 IN A 17.112.144.50 nserver4.apple.com. 81431 IN A 17.112.144.59 ;; Query time: 2 msec ;; SERVER: 130.102.128.43#53(130.102.128.43) ;; WHEN: Thu Jul 20 10:04:54 2006 ;; MSG SIZE rcvd: 310 # AFTER ADDING ALLOW-RECURSION TO CONFIG # ======================================================================== # external query REFUSED but now without RA dig -b130.102.128.23 www.apple.com any ; <<>> DiG 9.3.2-UQ <<>> -b130.102.128.23 www.apple.com any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 57759 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.apple.com. IN ANY ;; Query time: 1 msec ;; SERVER: 130.102.128.43#53(130.102.128.43) ;; WHEN: Thu Jul 20 10:08:01 2006 ;; MSG SIZE rcvd: 31 # internal query allowed with RA set dig www.apple.com any ; <<>> DiG 9.3.2-UQ <<>> www.apple.com any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48457 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 6 ;; QUESTION SECTION: ;www.apple.com. IN ANY ;; ANSWER SECTION: www.apple.com. 311 IN CNAME www.apple.com.akadns.net. ;; AUTHORITY SECTION: apple.com. 142371 IN NS nserver2.apple.com. apple.com. 142371 IN NS nserver3.apple.com. apple.com. 142371 IN NS nserver4.apple.com. apple.com. 142371 IN NS nserver.asia.apple.com. apple.com. 142371 IN NS nserver.euro.apple.com. apple.com. 142371 IN NS nserver.apple.com. ;; ADDITIONAL SECTION: nserver.asia.apple.com. 2111 IN A 203.120.14.5 nserver.euro.apple.com. 13505 IN A 17.72.133.64 nserver.apple.com. 339985 IN A 17.254.0.50 nserver2.apple.com. 339985 IN A 17.254.0.59 nserver3.apple.com. 81240 IN A 17.112.144.50 nserver4.apple.com. 81240 IN A 17.112.144.59 ;; Query time: 2 msec ;; SERVER: 130.102.128.43#53(130.102.128.43) ;; WHEN: Thu Jul 20 10:08:05 2006 ;; MSG SIZE rcvd: 310 -- d.thomas Danny Thomas, +61-7-3365-8221 Software Infrastructure, http://www.its.uq.edu.au ITS, The University of Queensland Prev-Msg Prev-Thread Bind-users Jul-2006 Next-Thread Next-Msg

© 2004-2008 readlist.com