Source: bind9
Version: 1:9.9.5.dfsg-9
Severity: normal
Hi!
When a client tries to resolve an .onion name, bind will leak such a request
to the outside internet (a forwarder or a root server). This is forbidden
by RFC7686 which demands that both caching and authoritative servers return
NXDOMAIN without looking that up.
IP 10.0.1.6.45589 > 10.0.1.2.domain: 10992+ A? duskgytldkxiuqc6.onion. (40)
IP 10.0.1.6.45589 > 10.0.1.2.domain: 5143+ AAAA? duskgytldkxiuqc6.onion. (40)
IP 10.0.1.2.28166 > e.root-servers.net.domain: 5403% [1au] A?
duskgytldkxiuqc6.onion. (51)
IP 10.0.1.2.39325 > e.root-servers.net.domain: 51890% [1au] AAAA?
duskgytldkxiuqc6.onion. (51)
IP 10.0.1.2.60534 > e.root-servers.net.domain: 54017% [1au] NS? . (28)
IP e.root-servers.net.domain > 10.0.1.2.28166: 5403 NXDomain*- 0/6/1 (654)
IP e.root-servers.net.domain > 10.0.1.2.39325: 51890 NXDomain*- 0/6/1 (654)
A fix would be to add to named.conf.default-zones
zone "onion" {
type master;
file "/etc/bind/db.empty";
};
