[+] Description of problem: - Bind 9.11 with default Named configuration responds to RFC 1918 requests [+] Version-Release number of selected component (if applicable): - bind-9.11.4-9.P2.el7.x86_64 [+] How reproducible: - Always [+] Steps to Reproduce: 1. Install IdM with default Named configuration 2. Send RFC 1918 requests to IdM server [+] Actual results: - Jan 10 09:43:31 serverhostname named-pkcs11[20650]: client @0x7******** 192.168.0.2#42094 (1.0.168.192.in-addr.arpa): RFC 1918 response from Internet for 1.0.168.192.in-addr.arpa [+] Expected results: - RFC 1918 requests are blocked [+] Additional info: - Upstream documentation states that Bind 9.9 and above have empty-zones-enable set to 'yes' by default. With a basic deployment of RHEL 7 minimal with IdM installed, this does not seem to be the case with named-pkcs11. - https://www.zytrax.com/books/dns/ch7/queries.html#empty-zones-enable - "By default empty-zones-enable is set to yes which means that reverse queries for IPv4 and IPv6 addresses covered by RFCs 1918, 4193, 5737 and 6598 (as well as IPv6 local address (locally assigned), IPv6 link local addresses, the IPv6 loopback address and the IPv6 unknown address) but which is not not covered by a locally defined zone clause will automatically return an NXDOMAIN response from the local name server."
Bind documentation states it is by default enabled and it is indeed by default enabled. But not a single true or false value is used. Smart detection is in place instead. If both statements empty-zones-enable and disable-empty-zone are missing in configuration, recursion value for given view is used. But it is enabled only when no global forwarders are used, or when forward policy is set to forward first; When forward only is configured, all queries are passed to forwarders without any change. That means no authoritative empty zones are created, even when explicitly requested in configuration. It is expected forwarder would handle possible leaks and has empty zones configured itself.
But above seems to be valid just for normal bind configured by named.conf. When testing it on configured IPA server, my responses were passed to forwarders always, regardless first or only was set in ipa dnsconfig-mod forward-policy. Tested on: bind-pkcs11-9.11.4-16.P2.el7.x86_64 bind-dyndb-ldap-11.1-7.el7.x86_64 named-pkcs11 configured via LDAP does not seem to change behaviour even if empty zones are requested in named.conf explicitly. It seems to be feature of bind-dyndb-ldap, implemented in src/empty_zones.c. My log lists: ignoring inherited 'forward first;' for zone '.' - did you want 'forward only;' to override automatic empty zone '10.IN-ADDR.ARPA'? then: zone 10.IN-ADDR.ARPA/IN: shutting down shutting down automatic empty zones to enable forwarding for domain '.' for each private domain. It seems this behaviour is intentional, forwards all domains to forwarder and not to stop any query on the server empty zone itself. Not yet sure whether it can be disabled.
Thank you taking your time and submitting this request for Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 is in Maintenance Support 2 Phase. This bug was reevaluated and will be postponed to RHEL 8. Thank you for understanding. Red Hat Enterprise Linux Identity Management Team