Date: Tue, 16 Nov 1999 23:36:46 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: sthaug@nethelp.no Cc: freebsd-security@FreeBSD.ORG Subject: Re: Tracing Spoofed Packets Message-ID: <199911170736.XAA20577@gndrsh.dnsmgr.net> In-Reply-To: <87189.942820529@verdi.nethelp.no> from "sthaug@nethelp.no" at "Nov 17, 1999 07:35:29 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> > That reminds me of a hack I started working on that someone really should
> > do. In gated for routing we have the ``martians list'' of ip addresses
> > that it won't listen to nobody nohow about routing for, well, it would
> > be really sweet if bind/named could also have this, so that these bogus
> > NS records with RFC1918 addresses in them (mostly due to misconfigured
> > internal nameservers leaking info to the internet) could be easily ignored
> > by those of us who know how to do it correctly.
>
> BIND already does a similar thing for 0.0.0.0, 127.0.0.1 etc. See the
> code from BIND 8.2.2-P3 src/bin/named/ns_forw.c included below. It
> should be easy enough to extend this list - but it would be even better
> if the list was configurable, of course.
Yea... there is the code that needs hacked^H^H^H^Hfixed to take a config
list of addresses. Hard coding this in the source was a mistake, it also
leaves out lots of potential ``Bogus''. And, for some of us refuses some
data that is actually valid to us:
netstat -rn
...
OSPF-ALL.MCAST.NET localhost UH 1 607 lo0
OSPF-DSIG.MCAST.NE localhost UH 1 4 lo0
I can't do a forward look up on OSPF-ALL.MCAST.NET due to the code below,
something that I would like to do (okay, so I already hacked my named not
to reject this one, and hacked it to reject a lot of others, but it is just
that, a bunch of hacks!!)
Someone with some time on thier hands please de hardcode these addresses,
add a configuration item (I like the gated name of ``martians'') and submit
it to Vixie for the next release...) or maybe even ask Paul about doing it...
>
> Steinar Haug, Nethelp consulting, sthaug@nethelp.no
> ----------------------------------------------------------------------
> if (ina_hlong(ina_get(dp->d_data)) == INADDR_ANY) {
> static const char *complaint =
> "Bogus (0.0.0.0) A RR";
> nslookupComplain(sysloginfo, syslogdname,
> complaint, dname, dp, nsdp);
> continue;
> }
> #ifdef INADDR_LOOPBACK
> if (ina_hlong(ina_get(dp->d_data))==INADDR_LOOPBACK) {
> static const char *complaint =
> "Bogus LOOPBACK A RR";
> nslookupComplain(sysloginfo, syslogdname,
> complaint, dname, dp, nsdp);
> continue;
> }
> #endif
> #ifdef INADDR_BROADCAST
> if (ina_hlong(ina_get(dp->d_data))==INADDR_BROADCAST){
> static const char *complaint =
> "Bogus BROADCAST A RR";
> nslookupComplain(sysloginfo, syslogdname,
> complaint, dname, dp, nsdp);
> continue;
> }
> #endif
> #ifdef IN_MULTICAST
> if (IN_MULTICAST(ina_hlong(ina_get(dp->d_data)))) {
> static const char *complaint =
> "Bogus MULTICAST A RR";
> nslookupComplain(sysloginfo, syslogdname,
> complaint, dname, dp, nsdp);
> continue;
> }
> #endif
>
--
Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911170736.XAA20577>