upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-26 11:32:01 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

2006. [security] Allow-query-cache and allow-recursion now default

Browse source 
to the builtin acls "localnets" and "localhost".

                        This is being done to make caching servers less
                        attractive as reflective amplifying targets for
                        spoofed traffic.  This still leave authoritative
                        servers exposed.

                        The best fix is for full BCP 38 deployment to
                        remove spoofed traffic.
This commit is contained in:
Mark Andrews 2006-03-09 03:30:18 +00:00
parent 9cd148558b
commit fe6f384b2e
4 changed files with 86 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
CHANGES
View file

@ -1,3 +1,14 @@
2006. [security] Allow-query-cache and allow-recursion now default
to the builtin acls "localnets" and "localhost".
This is being done to make caching servers less
attractive as reflective amplifying targets for
spoofed traffic. This still leave authoritative
servers exposed.
The best fix is for full BCP 38 deployment to
remove spoofed traffic.
2005. [bug] libbind: Retransmission timeouts should be
based on which attempt it is to the nameserver
and not the nameserver itself. [RT #13548]

5
bin/named/config.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.71 2006/03/06 01:27:51 marka Exp $ */
/* $Id: config.c,v 1.72 2006/03/09 03:30:18 marka Exp $ */
/*! \file */
@ -103,7 +103,8 @@ options {\n\
/* view */\n\
allow-notify {none;};\n\
allow-update-forwarding {none;};\n\
allow-recursion {any;};\n\
allow-query-cache { localnets; localhost; };\n\
allow-recursion { localnets; localhost; };\n\
# allow-v6-synthesis <obsolete>;\n\
# sortlist <none>\n\
# topology <none>\n\

14
bin/named/server.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.459 2006/02/28 02:39:51 marka Exp $ */
/* $Id: server.c,v 1.460 2006/03/09 03:30:18 marka Exp $ */
/*! \file */
@ -1430,8 +1430,9 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
CHECK(configure_view_acl(vconfig, config, "allow-query-cache",
actx, ns_g_mctx, &view->queryacl));
if (view->queryacl == NULL)
CHECK(configure_view_acl(vconfig, config, "allow-query",
actx, ns_g_mctx, &view->queryacl));
CHECK(configure_view_acl(NULL, ns_g_defaults,
"allow-query-cache", actx,
ns_g_mctx, &view->queryacl));
if (strcmp(view->name, "_bind") != 0)
CHECK(configure_view_acl(vconfig, config, "allow-recursion",
@ -1450,6 +1451,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
"both \"recursion no;\" and \"allow-recursion\" "
"active%s%s", forview, viewname);
/*
* Set default "allow-recursion" acl.
*/
if (view->recursionacl == NULL && view->recursion)
CHECK(configure_view_acl(NULL, ns_g_defaults, "allow-recursion",
actx, ns_g_mctx, &view->recursionacl));
CHECK(configure_view_acl(vconfig, config, "sortlist",
actx, ns_g_mctx, &view->sortlist));

128
doc/arm/Bv9ARM-book.xml
View file

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.297 2006/03/06 01:27:52 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.298 2006/03/09 03:30:18 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@ -3069,20 +3069,21 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
and whether the element was negated.
</para>
<para>
When used as an access control list, a non-negated match allows
access and a negated match denies access. If there is no match,
access is denied. The clauses <command>allow-notify</command>,
<command>allow-query</command>, <command>allow-query-cache</command>,
<command>allow-transfer</command>,
<command>allow-update</command>, <command>allow-update-forwarding</command>,
and <command>blackhole</command> all use address match
lists.
Similarly, the listen-on option will cause the server to not
accept
queries on any of the machine's addresses which do not match the
list.
</para>
<para>
When used as an access control list, a non-negated match
allows access and a negated match denies access. If
there is no match, access is denied. The clauses
<command>allow-notify</command>,
<command>allow-query</command>,
<command>allow-query-cache</command>,
<command>allow-transfer</command>,
<command>allow-update</command>,
<command>allow-update-forwarding</command>, and
<command>blackhole</command> all use address match
lists. Similarly, the listen-on option will cause the
server to not accept queries on any of the machine's
addresses which do not match the list.
</para>
<para>
Because of the first-match aspect of the algorithm, an element
@ -5772,64 +5773,57 @@ options {
</listitem>
</varlistentry>
<varlistentry>
<term><command>allow-query</command></term>
<listitem>
<para>
Specifies which hosts are allowed to
ask ordinary DNS questions. <command>allow-query</command> may also
be specified in the <command>zone</command>
statement, in which
case it overrides the <command>options allow-query</command> statement.
<command>allow-query-cache</command> may also be
specified and will
overrides access to the cache.
If not specified, the default is to allow queries from all
hosts.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>allow-query</command></term>
<listitem>
<para>
Specifies which hosts are allowed to ask ordinary
DNS questions. <command>allow-query</command> may
also be specified in the <command>zone</command>
statement, in which case it overrides the
<command>options allow-query</command> statement.
If not specified, the default is to allow queries
from all hosts.
</para>
<note>
<para>
<command>allow-query-cache</command> is now
used to specify access to the cache.
</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><command>allow-query-cache</command></term>
<listitem>
<para>
Specifies which hosts are allowed to get answers
from the cache. If not set <command>allow-query</command> applies.
</para>
<para>
The recommended way to set query access to the cache is now
via
<command>allow-query-cache</command> rather than
<command>allow-query</command>.
Inheritance from <command>allow-query</command>
has been retained for
backwards compatability.
</para>
<note>
<para>
If <command>allow-query-cache</command> is set
at the options
level and not set in the view it will still override a
<command>allow-query</command> set at the view
level.
</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><command>allow-query-cache</command></term>
<listitem>
<para>
Specifies which hosts are allowed to get answers
from the cache. The default is the builtin acls
<command>localnets</command> and
<command>localhost</command>.
</para>
<para>
The way to set query access to the cache is now
via <command>allow-query-cache</command>.
This differs from earlier versions which used
<command>allow-query</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>allow-recursion</command></term>
<listitem>
<para>
Specifies which hosts are allowed to
make recursive queries through this server. If not
specified, the
default is to allow recursive queries from all hosts.
Note that disallowing recursive queries for a host does not
prevent the
host from retrieving data that is already in the server's
cache.
Specifies which hosts are allowed to make recursive
queries through this server. If not specified,
the default is to allow recursive queries from
the builtin acls <command>localnets</command> and
<command>localhost</command>.
Note that disallowing recursive queries for a
host does not prevent the host from retrieving
data that is already in the server's cache.
</para>
</listitem>
</varlistentry>