Bugtraq mailing list archives
Bind 8.* bug.
From: alan () MANAWATU GEN NZ (Alan Brown)
Date: Mon, 11 Jan 1999 23:02:29 +1300
For a change, this is a case of security restrictions being too tight, however it results in hosts "disappearing" from visible DNS for users of large parts of the net. If you setup nameservers so that only specified netblocks can make general recursive queries using the global "allow-query{ acl-query; }; parameter, but also serve domains/zonefiles from the same server with "allow-query { any; };", then things work well _except_ under the following circumstance: If you have a dns entry which is a CNAME to a zonefile/domain not served from the same nameserver (eg: www.fred.com IN CNAME fredssite.someotherisp.com) then if queried for the CNAME, the nameserver will refuse to answer the query. The end result is that non-local lookups for www.fred.com fail in most circumstances, as the originating site resolver doesn't seem to do a full DNS lookup procedure on fredssite.someotherisp.com, but continues to ask the nameserver it just queried about www.fred.com for data on fredssite.someotherisp.com. The only time I've found that a lookup for www.fred.com. will work is if fredssite.someotherisp.com is already cached in the nameserver making the query. This was tested with bind 8.1.2 and the associated lookup tools (host, dig, etc) running on the querying and nameserving hosts. Workarounds: 1: leave your nameservers wide open to recursive queries from anywhere on the net. or 2: disallow CNAMES pointing to domains not supplied from the same nameserver. Both have their problems: Immediately after locking our nameservers down to only allow general queries from authorised netblocks, I found what appeared to be an entire ISP dialin pool in another country hammering the servers. Disallowing offsite CNAMEs means that one must be kept informed whenever another provider changes IPs for offsite hosts you point to, and those changes must be attended to locally asap. This was forwarded to bind-bugs () isc org about a week ago with no response. AB
Current thread:
- Re: Wiping out setuid programs Steve Bellovin (Jan 07)
- Re: Wiping out setuid programs Gene Spafford (Jan 08)
- <Possible follow-ups>
- Re: Wiping out setuid programs D. J. Bernstein (Jan 09)
- Re: Wiping out setuid programs Alan Cox (Jan 09)
- Re: Wiping out setuid programs Nick Maclaren (Jan 10)
- Bind 8.* bug. Alan Brown (Jan 11)
- Re: Wiping out setuid programs Neale Banks (Jan 11)
- Re: Wiping out setuid programs Steven M. Bellovin (Jan 09)
- Re: Wiping out setuid programs der Mouse (Jan 09)
- Re: Wiping out setuid programs D. J. Bernstein (Jan 10)
- Re: Wiping out setuid programs Niall Smart (Jan 12)