Commit fe6f384b authored by Mark Andrews's avatar Mark Andrews

2006. [security] Allow-query-cache and allow-recursion now default

                        to the builtin acls "localnets" and "localhost".

                        This is being done to make caching servers less
                        attractive as reflective amplifying targets for
                        spoofed traffic.  This still leave authoritative
                        servers exposed.

                        The best fix is for full BCP 38 deployment to
                        remove spoofed traffic.
parent 9cd14855
2006. [security] Allow-query-cache and allow-recursion now default
to the builtin acls "localnets" and "localhost".
This is being done to make caching servers less
attractive as reflective amplifying targets for
spoofed traffic. This still leave authoritative
servers exposed.
The best fix is for full BCP 38 deployment to
remove spoofed traffic.
2005. [bug] libbind: Retransmission timeouts should be
based on which attempt it is to the nameserver
and not the nameserver itself. [RT #13548]
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.71 2006/03/06 01:27:51 marka Exp $ */
/* $Id: config.c,v 1.72 2006/03/09 03:30:18 marka Exp $ */
/*! \file */
......@@ -103,7 +103,8 @@ options {\n\
/* view */\n\
allow-notify {none;};\n\
allow-update-forwarding {none;};\n\
allow-recursion {any;};\n\
allow-query-cache { localnets; localhost; };\n\
allow-recursion { localnets; localhost; };\n\
# allow-v6-synthesis <obsolete>;\n\
# sortlist <none>\n\
# topology <none>\n\
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.459 2006/02/28 02:39:51 marka Exp $ */
/* $Id: server.c,v 1.460 2006/03/09 03:30:18 marka Exp $ */
/*! \file */
......@@ -1430,8 +1430,9 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
CHECK(configure_view_acl(vconfig, config, "allow-query-cache",
actx, ns_g_mctx, &view->queryacl));
if (view->queryacl == NULL)
CHECK(configure_view_acl(vconfig, config, "allow-query",
actx, ns_g_mctx, &view->queryacl));
CHECK(configure_view_acl(NULL, ns_g_defaults,
"allow-query-cache", actx,
ns_g_mctx, &view->queryacl));
if (strcmp(view->name, "_bind") != 0)
CHECK(configure_view_acl(vconfig, config, "allow-recursion",
......@@ -1450,6 +1451,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
"both \"recursion no;\" and \"allow-recursion\" "
"active%s%s", forview, viewname);
/*
* Set default "allow-recursion" acl.
*/
if (view->recursionacl == NULL && view->recursion)
CHECK(configure_view_acl(NULL, ns_g_defaults, "allow-recursion",
actx, ns_g_mctx, &view->recursionacl));
CHECK(configure_view_acl(vconfig, config, "sortlist",
actx, ns_g_mctx, &view->sortlist));
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.297 2006/03/06 01:27:52 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.298 2006/03/09 03:30:18 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
......@@ -3069,20 +3069,21 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
and whether the element was negated.
</para>
<para>
When used as an access control list, a non-negated match allows
access and a negated match denies access. If there is no match,
access is denied. The clauses <command>allow-notify</command>,
<command>allow-query</command>, <command>allow-query-cache</command>,
<command>allow-transfer</command>,
<command>allow-update</command>, <command>allow-update-forwarding</command>,
and <command>blackhole</command> all use address match
lists.
Similarly, the listen-on option will cause the server to not
accept
queries on any of the machine's addresses which do not match the
list.
</para>
<para>
When used as an access control list, a non-negated match
allows access and a negated match denies access. If
there is no match, access is denied. The clauses
<command>allow-notify</command>,
<command>allow-query</command>,
<command>allow-query-cache</command>,
<command>allow-transfer</command>,
<command>allow-update</command>,
<command>allow-update-forwarding</command>, and
<command>blackhole</command> all use address match
lists. Similarly, the listen-on option will cause the
server to not accept queries on any of the machine's
addresses which do not match the list.
</para>
<para>
Because of the first-match aspect of the algorithm, an element
......@@ -5772,64 +5773,57 @@ options {
</listitem>
</varlistentry>
<varlistentry>
<term><command>allow-query</command></term>
<listitem>
<para>
Specifies which hosts are allowed to
ask ordinary DNS questions. <command>allow-query</command> may also
be specified in the <command>zone</command>
statement, in which
case it overrides the <command>options allow-query</command> statement.
<command>allow-query-cache</command> may also be
specified and will
overrides access to the cache.
If not specified, the default is to allow queries from all
hosts.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>allow-query</command></term>
<listitem>
<para>
Specifies which hosts are allowed to ask ordinary
DNS questions. <command>allow-query</command> may
also be specified in the <command>zone</command>
statement, in which case it overrides the
<command>options allow-query</command> statement.
If not specified, the default is to allow queries
from all hosts.
</para>
<note>
<para>
<command>allow-query-cache</command> is now
used to specify access to the cache.
</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><command>allow-query-cache</command></term>
<listitem>
<para>
Specifies which hosts are allowed to get answers
from the cache. If not set <command>allow-query</command> applies.
</para>
<para>
The recommended way to set query access to the cache is now
via
<command>allow-query-cache</command> rather than
<command>allow-query</command>.
Inheritance from <command>allow-query</command>
has been retained for
backwards compatability.
</para>
<note>
<para>
If <command>allow-query-cache</command> is set
at the options
level and not set in the view it will still override a
<command>allow-query</command> set at the view
level.
</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><command>allow-query-cache</command></term>
<listitem>
<para>
Specifies which hosts are allowed to get answers
from the cache. The default is the builtin acls
<command>localnets</command> and
<command>localhost</command>.
</para>
<para>
The way to set query access to the cache is now
via <command>allow-query-cache</command>.
This differs from earlier versions which used
<command>allow-query</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>allow-recursion</command></term>
<listitem>
<para>
Specifies which hosts are allowed to
make recursive queries through this server. If not
specified, the
default is to allow recursive queries from all hosts.
Note that disallowing recursive queries for a host does not
prevent the
host from retrieving data that is already in the server's
cache.
Specifies which hosts are allowed to make recursive
queries through this server. If not specified,
the default is to allow recursive queries from
the builtin acls <command>localnets</command> and
<command>localhost</command>.
Note that disallowing recursive queries for a
host does not prevent the host from retrieving
data that is already in the server's cache.
</para>
</listitem>
</varlistentry>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment