Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 952311

Summary: Ship default /etc/named.conf to prevent harmful misconfigurations
Product: Red Hat Enterprise Linux 5 Reporter: Adam Tkac <atkac>
Component: bindAssignee: Tomáš Hozza <thozza>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.10CC: atkac, jlieskov, ovasik, pwouters, security-response-team, thozza
Target Milestone: rcFlags: ovasik: needinfo-
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-03 12:37:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Tkac 2013-04-15 15:56:23 UTC
Description of problem:
Currently bind is shipped with no default named.conf. From the statistics related to the recent "open resolver" attacks it implied that the current default bind configuration on Red Hat Enterprise Linux 5 leads to practices when the default configuration is also used for DNS resolver settings for Internet connections. Due to lack of default named.conf warning messages inexperienced administrators previously tended to simply allow all traffic, allowing the server in question to participate on distributed denial of service attacks (to mention some example why the default configuration should not be used for Interned connections). Default named.conf with warnings should prevent such misconfigurations to happen in the future.

Version-Release number of selected component (if applicable):
bind-9.3.6-20.P1.el5_8.6

Actual results:
No default named.conf with explicit warning about allow-query and allow-query-cache directives.

Comment 1 Paul Wouters 2013-04-22 14:52:11 UTC
How about in the stock named.conf along the lines of:

/* 
 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
      recursion. 
 - If your recursive DNS server has a public IP address, you MUST enable access 
      control to limit queries to your legitimate users. Failing to do so will
      cause your server to become part of large scale DNS amplification 
      attacks. Implementing BCP38 within your network would greatly
      reduce such attack surface 
*/

Comment 6 Tomáš Hozza 2013-05-02 09:29:56 UTC
Thank you Paul for the warning message. It looks reasonable to me.

If you don't mind I would like to use the same warning in named.conf
distributed in Fedora.

Comment 7 Paul Wouters 2013-05-02 14:54:17 UTC
please do

Comment 8 RHEL Program Management 2014-02-25 00:14:55 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.

Comment 9 RHEL Program Management 2014-03-07 13:45:25 UTC
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.

Comment 10 RHEL Program Management 2014-06-03 12:37:37 UTC
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).