From owner-freebsd-bugs@FreeBSD.ORG Wed Apr 3 11:40:01 2013 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 4C261954 for ; Wed, 3 Apr 2013 11:40:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 2EEA7867 for ; Wed, 3 Apr 2013 11:40:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r33Be06v053960 for ; Wed, 3 Apr 2013 11:40:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r33Be0ZX053959; Wed, 3 Apr 2013 11:40:00 GMT (envelope-from gnats) Resent-Date: Wed, 3 Apr 2013 11:40:00 GMT Resent-Message-Id: <201304031140.r33Be0ZX053959@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Mark Knight Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9821E93E for ; Wed, 3 Apr 2013 11:39:15 +0000 (UTC) (envelope-from markk@knigma.org) Received: from shrewd.pub.knigma.org (shrewd.ipv6.pub.knigma.org [IPv6:2001:8b0:b0:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 3FC7E859 for ; Wed, 3 Apr 2013 11:39:15 +0000 (UTC) Received: from shrewd.pub.knigma.org (localhost [127.0.0.1]) by shrewd.pub.knigma.org (8.14.5/8.14.5) with ESMTP id r33BdCqA077828 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 3 Apr 2013 12:39:12 +0100 (BST) (envelope-from mkn@shrewd.pub.knigma.org) Received: (from mkn@localhost) by shrewd.pub.knigma.org (8.14.5/8.14.5/Submit) id r33BdCdq077827; Wed, 3 Apr 2013 12:39:12 +0100 (BST) (envelope-from mkn) Message-Id: <201304031139.r33BdCdq077827@shrewd.pub.knigma.org> Date: Wed, 3 Apr 2013 12:39:12 +0100 (BST) From: Mark Knight To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: conf/177607: named.conf comment to slave root suggests potentially dangerous BIND configuration X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Mark Knight List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2013 11:40:01 -0000 >Number: 177607 >Category: conf >Synopsis: named.conf comment to slave root suggests potentially dangerous BIND configuration >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Apr 03 11:40:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Mark Knight >Release: FreeBSD 9.1-RELEASE amd64 >Organization: >Environment: System: FreeBSD shrewd.pub.knigma.org 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r244649: Thu Dec 27 22:02:49 GMT 2012 root@shrewd.pub.knigma.org:/sys/amd64/compile/SHREWD amd64 >Description: The comment in the default named.conf encourages users to slave the root but does not provide an example configuration that prevent a name server being used as an amplifier in DDOS attacks. Users who adopt this configuration by uncommenting the supplied entries are likely to receive abuse reports or be unwitting participants in a DDOS attack. >How-To-Repeat: Uncomment zone "." entry and then run dig -t ns @x.x.x.x . from the Internet. >Fix: Consider applying a patch such as enclosed below to the default configuration file to help users avoid this misconfiguration if they uncomment the relevant slave zone configurations. Index: etc/namedb/named.conf =================================================================== --- etc/namedb/named.conf (revision 247765) +++ etc/namedb/named.conf (working copy) @@ -104,6 +104,7 @@ masters { 192.5.5.241; // F.ROOT-SERVERS.NET. }; + allow-query { localhost; }; notify no; }; zone "arpa" { @@ -112,6 +113,7 @@ masters { 192.5.5.241; // F.ROOT-SERVERS.NET. }; + allow-query { localhost; }; notify no; }; */ >Release-Note: >Audit-Trail: >Unformatted: