[ale] Bind 8.* bug. (fwd)

Nassar Carneige tracc at abraxis.com
Mon Jan 11 23:29:00 EST 1999 

   -=Nassar=-
tracc at abraxis.com

---------- Forwarded message ----------
Date: Mon, 11 Jan 1999 23:02:29 +1300
 From: Alan Brown <alan at MANAWATU.GEN.NZ>
To: BUGTRAQ at NETSPACE.ORG
Subject: Bind 8.* bug.

For a change, this is a case of security restrictions being too tight,
however it results in hosts "disappearing" from visible DNS for users of
large parts of the net.

If you setup nameservers so that only specified netblocks can make
general recursive queries using the global "allow-query{ acl-query; };
parameter, but also serve domains/zonefiles from the same server with
"allow-query { any; };", then things work well _except_ under the
following circumstance:

If you have a dns entry which is a CNAME to a zonefile/domain not served
from the same nameserver
(eg: www.fred.com IN CNAME fredssite.someotherisp.com)
then if queried for the CNAME, the nameserver will refuse to answer the query.

The end result is that non-local lookups for www.fred.com fail in most
circumstances, as the originating site resolver doesn't seem to do a
full DNS lookup procedure on fredssite.someotherisp.com, but continues
to ask the nameserver it just queried about www.fred.com for data on
fredssite.someotherisp.com.

The only time I've found that a lookup for www.fred.com. will work is if
fredssite.someotherisp.com is already cached in the nameserver making
the query.

This was tested with bind 8.1.2 and the associated lookup tools (host,
dig, etc) running on the querying and nameserving hosts.

Workarounds:

1: leave your nameservers wide open to recursive queries from anywhere
   on the net.

or

2: disallow CNAMES pointing to domains not supplied from the same nameserver.


Both have their problems:

Immediately after locking our nameservers down to only allow general
queries from authorised netblocks, I found what appeared to be an entire
ISP dialin pool in another country hammering the servers.

Disallowing offsite CNAMEs means that one must be kept informed whenever
another provider changes IPs for offsite hosts you point to, and those
changes must be attended to locally asap.


This was forwarded to bind-bugs at isc.org about a week ago with no response.

AB

More information about the Ale mailing list