Bug 483708 - bind: backport support for allow-query-cache* configuration directives [RHEL-5]
bind: backport support for allow-query-cache* configuration directives [RHEL-5]
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: bind (Show other bugs)
5.3
All Linux
medium Severity high
: rc
: ---
Assigned To: Adam Tkac
BaseOS QE
:
Depends On:
Blocks: RHEL5u4_relnotes 485393
  Show dependency treegraph
 
Reported: 2009-02-03 03:10 EST by Tomas Hoger
Modified: 2013-04-30 19:42 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
the <filename>bind</filename> (Berkeley Internet Name Domain) package provides an implementation of the DNS (Domain Name System) protocols. Previously, bind did not offer a mechanism to easily distinguish between requests that will receive authoritative and non-authoritative replies. Consequently, an incorrectly configured server may have replied to requests that should have been denied. With this update, bind has been updated, providing the new option <command>allow-query-cache</command> that controls access to non-authoritative data on a server (for example: cached recursive results and root zone hits).
Story Points: ---
Clone Of:
: 485393 (view as bug list)
Environment:
Last Closed: 2009-09-02 03:37:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2009-02-03 03:10:34 EST
Description of problem:
Newer versions of ISC bind (finally) added new configuration directives that can be used to control access to the data in the name server cache - allow-query-cache and allow-query-cache-on.  Those directives provides an easy way to deny queries for data only stored in the name server cache, such as previous replies to recursive clients or root zone hints.

Existing options allow-queries and allow-recursion/recursive does not offer a way to easily distinguish between requests that will get authoritative and non-authoritative replies.

Version-Release number of selected component (if applicable):
bind-9.3.4-10.P1.el5, but may be useful for RHEL4 bind version too

Additional info:
There are few other ways to block outside queries, but they require bind administrators to be little more careful when writing their configs and are often overlooked.

One possibility documented on some internet sources is to deny queries by default, an only allow queries explicitly for each zone that should be externally reachable.
    view external {
        allow-query { none; };
        recursion no;

        zone "some.zone" IN {
            type master;
            file "some.zone";
            allow-query { any; };
        };
    };

Other possibility is to allow queries by default and create (fake) root zone file in the external view (to serve as a catch-all case for all requests not satisfied by other defined authoritative zones) and deny all queries to it.
    view external {
        allow-query { any; };
        recursion no;

        zone "some.zone" IN {
            type master;
            file "some.zone";
        };

        zone "." IN {
            type master;
            file "root.zone";
            allow-query { none; };
        };
    };
Comment 5 Andre ten Bohmer 2009-02-04 11:13:40 EST
Thanks for the suggestions.
Severity is high in my opinion. After reading http://isc.sans.org/diary.html?storyid=5713 and checking our IDS systems, I can confirm also our external DNS servers are 'used' for this kind of ddos (running RHEL5.3). As mentioned in this bulletin http://support.menandmice.com/jforum/posts/list/25.page , it's very strong recommended to implement a global configuration like:
 acl "trusted" {
     192.168.0.0/16;
     10.153.154.0/24;
     localhost;
     localnets;
 };
 
 options {
     ...
     allow-query { any; };
     allow-recursion { trusted; };
     allow-query-cache { trusted; };
     ...
 };
Comment 7 Tomas Hoger 2009-02-04 11:46:03 EST
I discussed this issue with bind maintainer.  There is one significant problem with this proposal - default value for allow-query-cache.  Current upstream default is { localhost; localnets; };.  However, that default can not be used as the default value for RHEL bind packages, as it would break existing setups where bind is used as a recursive resolver for clients not matched by localnets; ACL and there's no explicit allow-query or allow-recursion directive specified allowing access for all intended client.  Default for allow-recursion in bind version shipped in RHEL is { any; };, while current upstream default is { localhost; localnets; };.

Therefore, only possibly default that can be used is { any; };, which would *not* address the case where bind installation is used as an amplifier in the mentioned DDoS attacks by default.  Manual configuration change will be required anyway, as is needed to implement hints mentioned in the comment #0.

There are also some drawbacks associated with inclusion of this feature - divergence from upstream as well as possible configuration file incompatibility between various bind packages versions shipped in one RHEL version.
Comment 14 Chris Ward 2009-07-03 14:22:53 EDT
~~ Attention - RHEL 5.4 Beta Released! ~~

RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner!

If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity.

Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value.

Questions can be posted to this bug or your customer or partner representative.
Comment 16 Adam Tkac 2009-07-23 09:12:08 EDT
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
Cause:
=======
There was no easy way how to distinguish between clients which will get authoritative or non-authoritative data and restrict certain clients.

Consequence:
============
Misconfigured server which replies to requests which should be denied. Attackers might use such misconfigured server as a DNS reflector or to get security sensitive information from server's cache.

Fix:
====
New option called "allow-query-cache" has been backported. This option controls access to all server's non-authoritative data, for example cached recursive results and root zone hits.

Result:
=======
Administrators can use the "allow-query-cache" option to control access to non-authoritative data. By default all clients are allowed to access non-authoritative data.
Comment 18 Ryan Lerch 2009-07-23 23:33:04 EDT
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1,15 +1 @@
-Cause:
+the <filename>bind</filename> (Berkeley Internet Name Domain) package provides an implementation of the DNS (Domain Name System) protocols. Previously, bind did not offer a mechanism to easily distinguish between requests that will receive authoritative and non-authoritative replies. Consequently, an incorrectly configured server may have replied to requests that should have been denied. With this update, bind has been updated, providing the new option <command>allow-query-cache</command> that controls access to non-authoritative data on a server (for example: cached recursive results and root zone hits).-=======
-There was no easy way how to distinguish between clients which will get authoritative or non-authoritative data and restrict certain clients.
-
-Consequence:
-============
-Misconfigured server which replies to requests which should be denied. Attackers might use such misconfigured server as a DNS reflector or to get security sensitive information from server's cache.
-
-Fix:
-====
-New option called "allow-query-cache" has been backported. This option controls access to all server's non-authoritative data, for example cached recursive results and root zone hits.
-
-Result:
-=======
-Administrators can use the "allow-query-cache" option to control access to non-authoritative data. By default all clients are allowed to access non-authoritative data.
Comment 21 errata-xmlrpc 2009-09-02 03:37:12 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1420.html

Note You need to log in before you can comment on or make changes to this bug.