Description of problem: Newer versions of ISC bind (finally) added new configuration directives that can be used to control access to the data in the name server cache - allow-query-cache and allow-query-cache-on. Those directives provides an easy way to deny queries for data only stored in the name server cache, such as previous replies to recursive clients or root zone hints. Existing options allow-queries and allow-recursion/recursive does not offer a way to easily distinguish between requests that will get authoritative and non-authoritative replies. Version-Release number of selected component (if applicable): bind-9.3.4-10.P1.el5, but may be useful for RHEL4 bind version too Additional info: There are few other ways to block outside queries, but they require bind administrators to be little more careful when writing their configs and are often overlooked. One possibility documented on some internet sources is to deny queries by default, an only allow queries explicitly for each zone that should be externally reachable. view external { allow-query { none; }; recursion no; zone "some.zone" IN { type master; file "some.zone"; allow-query { any; }; }; }; Other possibility is to allow queries by default and create (fake) root zone file in the external view (to serve as a catch-all case for all requests not satisfied by other defined authoritative zones) and deny all queries to it. view external { allow-query { any; }; recursion no; zone "some.zone" IN { type master; file "some.zone"; }; zone "." IN { type master; file "root.zone"; allow-query { none; }; }; };
Thanks for the suggestions. Severity is high in my opinion. After reading http://isc.sans.org/diary.html?storyid=5713 and checking our IDS systems, I can confirm also our external DNS servers are 'used' for this kind of ddos (running RHEL5.3). As mentioned in this bulletin http://support.menandmice.com/jforum/posts/list/25.page , it's very strong recommended to implement a global configuration like: acl "trusted" { 192.168.0.0/16; 10.153.154.0/24; localhost; localnets; }; options { ... allow-query { any; }; allow-recursion { trusted; }; allow-query-cache { trusted; }; ... };
I discussed this issue with bind maintainer. There is one significant problem with this proposal - default value for allow-query-cache. Current upstream default is { localhost; localnets; };. However, that default can not be used as the default value for RHEL bind packages, as it would break existing setups where bind is used as a recursive resolver for clients not matched by localnets; ACL and there's no explicit allow-query or allow-recursion directive specified allowing access for all intended client. Default for allow-recursion in bind version shipped in RHEL is { any; };, while current upstream default is { localhost; localnets; };. Therefore, only possibly default that can be used is { any; };, which would *not* address the case where bind installation is used as an amplifier in the mentioned DDoS attacks by default. Manual configuration change will be required anyway, as is needed to implement hints mentioned in the comment #0. There are also some drawbacks associated with inclusion of this feature - divergence from upstream as well as possible configuration file incompatibility between various bind packages versions shipped in one RHEL version.
~~ Attention - RHEL 5.4 Beta Released! ~~ RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner! If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity. Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value. Questions can be posted to this bug or your customer or partner representative.
Release note added. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: ======= There was no easy way how to distinguish between clients which will get authoritative or non-authoritative data and restrict certain clients. Consequence: ============ Misconfigured server which replies to requests which should be denied. Attackers might use such misconfigured server as a DNS reflector or to get security sensitive information from server's cache. Fix: ==== New option called "allow-query-cache" has been backported. This option controls access to all server's non-authoritative data, for example cached recursive results and root zone hits. Result: ======= Administrators can use the "allow-query-cache" option to control access to non-authoritative data. By default all clients are allowed to access non-authoritative data.
Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,15 +1 @@ -Cause: +the <filename>bind</filename> (Berkeley Internet Name Domain) package provides an implementation of the DNS (Domain Name System) protocols. Previously, bind did not offer a mechanism to easily distinguish between requests that will receive authoritative and non-authoritative replies. Consequently, an incorrectly configured server may have replied to requests that should have been denied. With this update, bind has been updated, providing the new option <command>allow-query-cache</command> that controls access to non-authoritative data on a server (for example: cached recursive results and root zone hits).-======= -There was no easy way how to distinguish between clients which will get authoritative or non-authoritative data and restrict certain clients. - -Consequence: -============ -Misconfigured server which replies to requests which should be denied. Attackers might use such misconfigured server as a DNS reflector or to get security sensitive information from server's cache. - -Fix: -==== -New option called "allow-query-cache" has been backported. This option controls access to all server's non-authoritative data, for example cached recursive results and root zone hits. - -Result: -======= -Administrators can use the "allow-query-cache" option to control access to non-authoritative data. By default all clients are allowed to access non-authoritative data.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1420.html