BIND was found to not properly handle certain configuration options, unintentionally permiting all clients to perform recursive queries. This occurs when "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query" for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default.
The permitting of recursive queries to unauthorized clients can allow for:
* Increase the load on a server, possibly degrading service to authorized clients.
* A server to being co-opted for use in DNS reflection attacks.
* An attacker may be able to deduce which queries a server has previously serviced by examining the results of queries answered from the cache, potentially leaking private information about what queries have been performed.
This affects the following versions:
* 9.12.0 to 9.12.1-P2
The flaw was introduced via the following upstream commit:
This change has not yet been included in any bind in Red Hat Enterprise Linux.
Created bind tracking bugs for this issue:
Affects: fedora-all [bug 1590580]
Created bind99 tracking bugs for this issue:
Affects: fedora-all [bug 1590579]