Bug 1319404
Summary: | Authoritative vs. recursive DNS server | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Luc de Louw <ldelouw> |
Component: | doc-Linux_Domain_Identity_Management_Guide | Assignee: | Aneta Šteflová Petrová <apetrova> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.2 | CC: | pspacek, pvoborni, rcritten, rhel-docs |
Target Milestone: | rc | Keywords: | Documentation, EasyFix |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-06-10 11:54:59 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Luc de Louw
2016-03-19 15:55:22 UTC
Yes, IPA default is not the recommended value. Pros and cons are mentioned here: https://bugzilla.redhat.com/show_bug.cgi?id=713798#c2 We need to decide if assumption 'setting allow-recurse any is an acceptable compromise to make things work out of the box without affecting security too much' still holds. from idm triage: mkosek: we should at least document (in admonition) that people runing FreeiPA DNS in public network should change the default to prevent DNS amplification attacks For more info contact pspacek. (In reply to Petr Vobornik from comment #3) > from idm triage: mkosek: we should at least document (in admonition) that > people runing FreeiPA DNS in public network should change the default to > prevent DNS amplification attacks > > For more info contact pspacek. Since authoritative answers are not cached, this creates IMHO unnecessary load on the IPA servers. Means that in large environments this can cause performance issues. (In reply to Luc de Louw from comment #5) > Since authoritative answers are not cached, this creates IMHO unnecessary > load on the IPA servers. Means that in large environments this can cause > performance issues. Technically this is not correct. Our authoritative server (BIND) has all the data in memory so the lookup is faster than going through a intermediate recursor (which needs to re-fetch the data from authoritative from time to time). Aneta, please add following note somwhere near DNS deployment considerations: IdM-integrated DNS server by default allows all clients to issue recursive queries to the DNS server. When IdM-DNS server is deployed in a network with untrusted clients it is necessary to change DNS server's configuration to prevent DNS amplification attacks. For further information please see https://www.us-cert.gov/ncas/alerts/TA13-088A . Thanks! I added the "Preventing DNS Amplification Attacks" section that explains the problem and documents how to prevent the risk. Published in an asynchronous update. |