blackhole ACL broken
A submitter who prefers to remain private sent this report to security-officer:
Two weeks ago I upgraded my FreeBSD 11.4 BIND installs to 9.16.3 from a 2017 private build off 7fcd72f5 (right before your major query.c restructure). I was working with Cisco CSIRT this past week trying to trackdown DNS spoofers using Cisco address space and entered six addresses into my blackhole list, reloaded, and the spoofed packets kept coming in. So I reinstalled my 2017 private build and the blackhole ACL worked fine.
For testing, I stripped my blackhole ACL down to a single IP address to test from and tested it against both my 2017 build and the 9.16.3 and same thing: works with my 2017 build but silently fails with 9.16.3. I tried with both the FreeBSD pkg version of BIND 9.16.3 and with the FreeBSD ports version of BIND 9.16.3 I built on the machine locally and both the pkg and ports versions fail.
BIND version used
9.16.3, but we suspect probably introduced with netmgr in late 9.15.x and present in stable releases from 9.16.0
BIND 9.16.3 ports build named -V: BIND 9.16.3 (Stable Release) <id:5ea41c1> running on FreeBSD amd64 11.4-STABLE FreeBSD 11.4-STABLE #26 r361994: Wed Jun 10 00:36:44 UTC 2020 email@example.com:/usr/obj/usr/src/sys/SGT11AMD64ZFS built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd11.4' 'build_alias=amd64-portbld-freebsd11.4' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -Wl,-rpath,/usr/local/lib -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf' compiled by CLANG FreeBSD Clang 10.0.0 (firstname.lastname@example.org:llvm/llvm-project.git llvmorg-10.0.0-0-gd32170dbd5b) compiled with OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020 linked to OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020 compiled with libxml2 version: 2.9.10 linked to libxml2 version: 20910 compiled with json-c version: 0.14 linked to json-c version: 0.14 compiled with zlib version: 1.2.11 linked to zlib version: 1.2.11 threads support is enabled default paths: named configuration: /usr/local/etc/namedb/named.conf rndc configuration: /usr/local/etc/namedb/rndc.conf DNSSEC root key: /usr/local/etc/namedb/bind.keys nsupdate session key: /var/run/named/session.key named PID file: /var/run/named/pid named lock file: /var/run/named/named.lock
What is the current bug behavior?
Blackhole ACL does not appear to be applied