From owner-freebsd-security Tue Nov 16 23:37: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id C8E0E14DAE for ; Tue, 16 Nov 1999 23:37:03 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id XAA20577; Tue, 16 Nov 1999 23:36:47 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199911170736.XAA20577@gndrsh.dnsmgr.net> Subject: Re: Tracing Spoofed Packets In-Reply-To: <87189.942820529@verdi.nethelp.no> from "sthaug@nethelp.no" at "Nov 17, 1999 07:35:29 am" To: sthaug@nethelp.no Date: Tue, 16 Nov 1999 23:36:46 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > That reminds me of a hack I started working on that someone really should > > do. In gated for routing we have the ``martians list'' of ip addresses > > that it won't listen to nobody nohow about routing for, well, it would > > be really sweet if bind/named could also have this, so that these bogus > > NS records with RFC1918 addresses in them (mostly due to misconfigured > > internal nameservers leaking info to the internet) could be easily ignored > > by those of us who know how to do it correctly. > > BIND already does a similar thing for 0.0.0.0, 127.0.0.1 etc. See the > code from BIND 8.2.2-P3 src/bin/named/ns_forw.c included below. It > should be easy enough to extend this list - but it would be even better > if the list was configurable, of course. Yea... there is the code that needs hacked^H^H^H^Hfixed to take a config list of addresses. Hard coding this in the source was a mistake, it also leaves out lots of potential ``Bogus''. And, for some of us refuses some data that is actually valid to us: netstat -rn ... OSPF-ALL.MCAST.NET localhost UH 1 607 lo0 OSPF-DSIG.MCAST.NE localhost UH 1 4 lo0 I can't do a forward look up on OSPF-ALL.MCAST.NET due to the code below, something that I would like to do (okay, so I already hacked my named not to reject this one, and hacked it to reject a lot of others, but it is just that, a bunch of hacks!!) Someone with some time on thier hands please de hardcode these addresses, add a configuration item (I like the gated name of ``martians'') and submit it to Vixie for the next release...) or maybe even ask Paul about doing it... > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > ---------------------------------------------------------------------- > if (ina_hlong(ina_get(dp->d_data)) == INADDR_ANY) { > static const char *complaint = > "Bogus (0.0.0.0) A RR"; > nslookupComplain(sysloginfo, syslogdname, > complaint, dname, dp, nsdp); > continue; > } > #ifdef INADDR_LOOPBACK > if (ina_hlong(ina_get(dp->d_data))==INADDR_LOOPBACK) { > static const char *complaint = > "Bogus LOOPBACK A RR"; > nslookupComplain(sysloginfo, syslogdname, > complaint, dname, dp, nsdp); > continue; > } > #endif > #ifdef INADDR_BROADCAST > if (ina_hlong(ina_get(dp->d_data))==INADDR_BROADCAST){ > static const char *complaint = > "Bogus BROADCAST A RR"; > nslookupComplain(sysloginfo, syslogdname, > complaint, dname, dp, nsdp); > continue; > } > #endif > #ifdef IN_MULTICAST > if (IN_MULTICAST(ina_hlong(ina_get(dp->d_data)))) { > static const char *complaint = > "Bogus MULTICAST A RR"; > nslookupComplain(sysloginfo, syslogdname, > complaint, dname, dp, nsdp); > continue; > } > #endif > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message