>Number: 177607
>Category: conf
>Synopsis: named.conf comment to slave root suggests potentially
>dangerous BIND configuration
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Apr 03 11:40:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Mark Knight
>Release: FreeBSD 9.1-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD shrewd.pub.knigma.org 9.1-RELEASE FreeBSD 9.1-RELEASE #0
r244649: Thu Dec 27 22:02:49 GMT 2012
r...@shrewd.pub.knigma.org:/sys/amd64/compile/SHREWD amd64
>Description:
The comment in the default named.conf encourages users to slave the
root but does not provide
an example configuration that prevent a name server being used as an
amplifier in DDOS attacks.
Users who adopt this configuration by uncommenting the supplied entries
are likely to receive
abuse reports or be unwitting participants in a DDOS attack.
>How-To-Repeat:
Uncomment zone "." entry and then run dig -t ns @x.x.x.x . from the
Internet.
>Fix:
Consider applying a patch such as enclosed below to the default
configuration file to help users
avoid this misconfiguration if they uncomment the relevant slave zone
configurations.
Index: etc/namedb/named.conf
===================================================================
--- etc/namedb/named.conf (revision 247765)
+++ etc/namedb/named.conf (working copy)
@@ -104,6 +104,7 @@
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
+ allow-query { localhost; };
notify no;
};
zone "arpa" {
@@ -112,6 +113,7 @@
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
+ allow-query { localhost; };
notify no;
};
*/
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
