Recursion improperly allowed by default
As reported to security-officer by Andrew Skalski:
I am submitting this bug report privately because it concerns ACL behavior, and I do not know whether the impact is limited to allowing recursion by default, or if it extends further than that.
I recently upgraded a VPS of mine from Ubuntu 16.04 (BIND 9.10.3) to Ubuntu 18.04 (BIND 9.11.3). Since that upgrade, I noticed an increase in network usage, and discovered that my BIND instance was being abused for DNS amplification attacks.
Given that open recursion has been disabled by default for over 10 years (https://kb.isc.org/article/AA-00269/0/What-has-changed-in-the-behavior-of-allow-recursion-and-allow-query-cache.html), I did a git-bisect to find the commit that introduced the regression:
commit 89636d8f305956ad42e95a988502c7345e85ffe1 Author: Evan Hunt <firstname.lastname@example.org> Date: Mon Oct 23 11:11:19 2017 -0700 [master] clean up a redundancy 4777. [cleanup] Removed a redundant call to configure_view_acl(). [RT #46369]
Steps to reproduce
Start BIND with an empty, default configuration. From a second machine, make a recursive query to the BIND server.
What is the current bug behavior?
(as of commit 89636d8f):
$ host google.com 184.108.40.206 Using domain server: Name: 220.127.116.11 Address: 18.104.22.168#53 Aliases: google.com has address 22.214.171.124 google.com has IPv6 address 2607:f8b0:4006:80f::200e google.com mail is handled by 50 alt4.aspmx.l.google.com. google.com mail is handled by 40 alt3.aspmx.l.google.com. google.com mail is handled by 10 aspmx.l.google.com. google.com mail is handled by 30 alt2.aspmx.l.google.com. google.com mail is handled by 20 alt1.aspmx.l.google.com.
What is the expected correct behavior?
$ host google.com 126.96.36.199 Using domain server: Name: 188.8.131.52 Address: 184.108.40.206#53 Aliases: Host google.com not found: 5(REFUSED)