blackhole ACL broken
Summary
A submitter who prefers to remain private sent this report to security-officer:
Two weeks ago I upgraded my FreeBSD 11.4 BIND installs to 9.16.3 from a 2017 private build off 7fcd72f5 (right before your major query.c restructure). I was working with Cisco CSIRT this past week trying to trackdown DNS spoofers using Cisco address space and entered six addresses into my blackhole list, reloaded, and the spoofed packets kept coming in. So I reinstalled my 2017 private build and the blackhole ACL worked fine.
For testing, I stripped my blackhole ACL down to a single IP address to test from and tested it against both my 2017 build and the 9.16.3 and same thing: works with my 2017 build but silently fails with 9.16.3. I tried with both the FreeBSD pkg version of BIND 9.16.3 and with the FreeBSD ports version of BIND 9.16.3 I built on the machine locally and both the pkg and ports versions fail.
BIND version used
9.16.3, but we suspect probably introduced with netmgr in late 9.15.x and present in stable releases from 9.16.0
BIND 9.16.3 ports build named -V:
BIND 9.16.3 (Stable Release) <id:5ea41c1>
running on FreeBSD amd64 11.4-STABLE FreeBSD 11.4-STABLE #26 r361994: Wed Jun 10 00:36:44 UTC 2020 root@s203.sgt.com:/usr/obj/usr/src/sys/SGT11AMD64ZFS
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd11.4' 'build_alias=amd64-portbld-freebsd11.4' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -Wl,-rpath,/usr/local/lib -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG FreeBSD Clang 10.0.0 (git@github.com:llvm/llvm-project.git llvmorg-10.0.0-0-gd32170dbd5b)
compiled with OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.14
linked to json-c version: 0.14
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lockWhat is the current bug behavior?
Blackhole ACL does not appear to be applied