conf/177607: named.conf comment to slave root suggests potentially dangerous BIND configuration
Mark Knight
markk at knigma.org
Wed Apr 3 11:40:01 UTC 2013
>Number: 177607
>Category: conf
>Synopsis: named.conf comment to slave root suggests potentially dangerous BIND configuration
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Apr 03 11:40:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Mark Knight
>Release: FreeBSD 9.1-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD shrewd.pub.knigma.org 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r244649: Thu Dec 27 22:02:49 GMT 2012 root at shrewd.pub.knigma.org:/sys/amd64/compile/SHREWD amd64
>Description:
The comment in the default named.conf encourages users to slave the root but does not provide
an example configuration that prevent a name server being used as an amplifier in DDOS attacks.
Users who adopt this configuration by uncommenting the supplied entries are likely to receive
abuse reports or be unwitting participants in a DDOS attack.
>How-To-Repeat:
Uncomment zone "." entry and then run dig -t ns @x.x.x.x . from the Internet.
>Fix:
Consider applying a patch such as enclosed below to the default configuration file to help users
avoid this misconfiguration if they uncomment the relevant slave zone configurations.
Index: etc/namedb/named.conf
===================================================================
--- etc/namedb/named.conf (revision 247765)
+++ etc/namedb/named.conf (working copy)
@@ -104,6 +104,7 @@
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
+ allow-query { localhost; };
notify no;
};
zone "arpa" {
@@ -112,6 +113,7 @@
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
+ allow-query { localhost; };
notify no;
};
*/
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list