Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 530
    • Issues 530
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 101
    • Merge requests 101
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #309

Closed
Open
Created Jun 04, 2018 by Michael McNally@McNally

Recursion improperly allowed by default

Summary

As reported to security-officer by Andrew Skalski:

I am submitting this bug report privately because it concerns ACL behavior, and I do not know whether the impact is limited to allowing recursion by default, or if it extends further than that.

I recently upgraded a VPS of mine from Ubuntu 16.04 (BIND 9.10.3) to Ubuntu 18.04 (BIND 9.11.3). Since that upgrade, I noticed an increase in network usage, and discovered that my BIND instance was being abused for DNS amplification attacks.

Given that open recursion has been disabled by default for over 10 years (https://kb.isc.org/article/AA-00269/0/What-has-changed-in-the-behavior-of-allow-recursion-and-allow-query-cache.html), I did a git-bisect to find the commit that introduced the regression:

    commit 89636d8f305956ad42e95a988502c7345e85ffe1
    Author: Evan Hunt <each@isc.org>
    Date:   Mon Oct 23 11:11:19 2017 -0700

        [master] clean up a redundancy
   
        4777.   [cleanup]       Removed a redundant call to configure_view_acl().
                                [RT #46369]

Steps to reproduce

Start BIND with an empty, default configuration. From a second machine, make a recursive query to the BIND server.

What is the current bug behavior?

(as of commit 89636d8f):

    $ host google.com 45.33.85.152
    Using domain server:
    Name: 45.33.85.152
    Address: 45.33.85.152#53
    Aliases:
   
    google.com has address 216.58.219.238
    google.com has IPv6 address 2607:f8b0:4006:80f::200e
    google.com mail is handled by 50 alt4.aspmx.l.google.com.
    google.com mail is handled by 40 alt3.aspmx.l.google.com.
    google.com mail is handled by 10 aspmx.l.google.com.
    google.com mail is handled by 30 alt2.aspmx.l.google.com.
    google.com mail is handled by 20 alt1.aspmx.l.google.com.

What is the expected correct behavior?

    $ host google.com 45.33.85.152
    Using domain server:
    Name: 45.33.85.152
    Address: 45.33.85.152#53
    Aliases:
   
    Host google.com not found: 5(REFUSED)
Assignee
Assign to
Time tracking