Ticket #606 (closed defect: fixed)

Opened 3 years ago

Last modified 2 years ago

forbid recursion and dns poisoning

Reported by: anarcat Assigned to: anonymous
Priority: urgent Milestone: alternc-0.9.5
Component: Domaines et vhosting Version: alternc-0.9.3.1
Severity: block Keywords:
Cc:

Description

http://alternc.org/marchives/dev/2006-March/002151.html

--- /etc/bind/named.conf.svg    Wed Mar 29 12:03:06 2006
+++ /etc/bind/named.conf        Wed Mar 29 12:15:51 2006
@@ -28,6 +28,8 @@
        auth-nxdomain no;    # conform to RFC1035
         allow-query     { "internal"; };
         allow-transfer  { "allslaves"; };
+       allow-recursion { "internal"; "allslaves"; };
+       fetch-glue no;

 };

i'd even go for recursion no;

Change History

03/30/06 00:32:12 changed by anarcat

fixed in [944].

03/30/06 02:00:21 changed by anarcat

  • status changed from new to closed.
  • resolution set to fixed.

04/12/06 16:40:24 changed by denis

config: warning: /etc/bind/named.conf:24: option 'fetch-glue' is obsolete

04/17/06 12:35:26 changed by denis

  • status changed from closed to reopened.
  • resolution deleted.

04/17/06 17:53:56 changed by anarcat

  • milestone changed from 0.9.4 to 0.9.5.

ah. et c'est quoi le remplacement?

04/17/06 18:04:11 changed by anarcat

  • status changed from reopened to closed.
  • resolution set to fixed.

http://www.isc.org/sw/bind/arm93/Bv9ARM.ch06.html#options

fetch-glue

This option is obsolete. In BIND 8, fetch-glue yes caused the server to attempt to fetch glue resource records it didn't have when constructing the additional data section of a response. This is now considered a bad idea and BIND 9 never does it.

Fixed in [1003].

04/17/06 22:10:55 changed by denis

  • status changed from closed to reopened.
  • resolution deleted.

Je proposes qu'on utilise la modifications de O.H. (cfr http://alternc.org/marchives/dev/2006-March/002151.html) qui permet (si j'ai bien tout compris) à la fois de fermer le serveur DNS récursif ouvert par rapport à l'extérieur et de le rendre utilisable en local.

auth-nxdomain no; # conform to RFC1035

allow-query { "internal"; }; allow-transfer { "allslaves"; };

+ allow-recursion { "internal"; "allslaves"; };

04/25/06 03:20:59 changed by anarcat

  • status changed from reopened to closed.
  • resolution set to fixed.

non, il ne faut pas mélanger les serveurs récursifs et non-récursifs:

http://cr.yp.to/djbdns/separation.html

Si vous voulez faire cette erreur, /etc/alternc/templates et pour vous. :)

07/31/06 03:42:14 changed by anonymous

  • type set to defect.

11/28/06 00:48:11 changed by nahuel

  • status changed from reopened to closed.
  • resolution set to fixed.