Univention Bugzilla – Bug 33252
DNS backend at TCP 7777 not blocked by firewall
Last modified: 2023-06-23 12:23:52 CEST
debian/univention-bind.postinst: > ucr set ... > »···»···security/packetfilter/package/univention-bind/udp/7777/all=ACCEPT \ > »···»···security/packetfilter/package/univention-bind/tcp/7777/all=ACCEPT \ Why? As far as I understand it only the local proxy DNS server needs to access the backend server on TCP port 7777. All other UCS servers get the data directly from LDAP and any external DNS server would contact the proxy on port 53. This makes the setup vulnerable for DoS, since the LDAP backend needs more resources than traditional zone files. Access for localhost is already allowed.
This was criticized by a customer during a recent workshop. Additionally, when running Samba/AD, there is no proxy DNS server running at all: > root@ucs327:~# ucr get dns/backend > samba4 > root@ucs327:~# ps auxf | grep [n]amed > root 3110 0.1 2.4 1543612 303032 ? Sl Feb22 17:59 | \_ /usr/sbin/named -c /etc/bind/named.conf.samba4 -f -d 0 > root@ucs327:~# netstat -tulpn | grep '7777' > root@ucs327:~# ucr search --brief 7777 > security/packetfilter/package/univention-bind/tcp/7777/all/en: DNS server > security/packetfilter/package/univention-bind/tcp/7777/all: ACCEPT > security/packetfilter/package/univention-bind/udp/7777/all/en: DNS server > security/packetfilter/package/univention-bind/udp/7777/all: ACCEPT
(In reply to Michael Grandjean from comment #1) > Additionally, when running Samba/AD, there is no proxy DNS server running at > all: This is expected: the proxy-named is only required/used with the OpenLDAP backend to solve a performance problem, as otherwise any DNS request would trigger a LDAP search. This is less an issue with the Samba backend.
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
The backend LDAP BIND is still exposed needlessly, which can be used for DoS.
Customer effected 2023033121000756 UCS VERSION: 5.0-3 errata609 ucr search 7777 | grep : security/packetfilter/package/univention-bind/tcp/7777/all/en: DNS server security/packetfilter/package/univention-bind/tcp/7777/all: ACCEPT security/packetfilter/package/univention-bind/udp/7777/all/en: DNS server security/packetfilter/package/univention-bind/udp/7777/all: ACCEPT $ ss -tulpn | grep 7777 $ nmap -p 7777 localhost PORT STATE SERVICE 7777/tcp closed cbt why is this port open? this can be used for attack