@@ -, +, @@
---
.../ucs-4.0-0/services/univention-bind/bind-acl.py | 94 ++++++++++++++++++++++
.../conffiles/etc/bind/named.conf.proxy | 15 ++--
.../conffiles/etc/bind/named.conf.samba4 | 16 ++--
.../services/univention-bind/debian/changelog | 6 ++
.../univention-bind/debian/univention-bind.dirs | 5 --
.../univention-bind/debian/univention-bind.install | 1 +
.../debian/univention-bind.postinst | 11 +--
7 files changed, 126 insertions(+), 22 deletions(-)
create mode 100755 branches/ucs-4.0/ucs-4.0-0/services/univention-bind/bind-acl.py
--- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/bind-acl.py
+++ a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/bind-acl.py
@@ -0,0 +1,94 @@
+#!/usr/bin/python2.7
+# -*- coding: utf-8 -*-
+"""
+Univention BIND listener script
+"""
+# Copyright 2015 Univention GmbH
+#
+# http://www.univention.de/
+#
+# All rights reserved.
+#
+# The source code of this program is made available
+# under the terms of the GNU Affero General Public License version 3
+# (GNU AGPL V3) as published by the Free Software Foundation.
+#
+# Binary versions of this program provided by Univention to you as
+# well as other copyrighted, protected or trademarked materials like
+# Logos, graphics, fonts, specific documentations and configurations,
+# cryptographic keys etc. are subject to a license agreement between
+# you and Univention and not subject to the GNU AGPL V3.
+#
+# In the case you use this program under the terms of the GNU AGPL V3,
+# the program is provided in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public
+# License with the Debian GNU/Linux or Univention distribution in file
+# /usr/share/common-licenses/AGPL-3; if not, see
+# .
+
+__package__ = '' # workaround for PEP 366
+import ldap
+import listener
+import ipaddr
+import subprocess
+
+name = 'bind-acl'
+description = 'Update BIND ACLs'
+filter = '(objectClass=univentionNetworkClass)'
+attributes = ['univentionNetmask', 'univentionNetwork']
+
+ACL_CONF_FILE = "/var/lib/bind/network-acls.conf"
+RNDC_BIN = "/usr/sbin/rndc"
+
+conf = {
+ 'ldapserver': None,
+ 'ldapport': 7389,
+ 'basedn': None,
+ 'binddn': None,
+ 'bindpw': None,
+}
+
+
+def setdata(key, value):
+ conf[key] = value
+
+
+def handler(dn, new, old):
+ ldap_uri = "ldap://%(ldapserver)s:%(ldapport)d" % conf
+ ldap_con = ldap.initialize(ldap_uri)
+ ldap_con.bind_s(conf['binddn'], conf['bindpw'])
+ networks = set()
+ for dn, values in ldap_con.search_s(conf['basedn'], ldap.SCOPE_SUBTREE, filter, attributes):
+ network = ipaddr.IPNetwork('%s/%s' % (
+ values['univentionNetwork'][0],
+ values['univentionNetmask'][0],
+ ))
+ networks.add(network.masked())
+
+ listener.setuid(0)
+ try:
+ with open(ACL_CONF_FILE, 'w') as acl:
+ print >> acl, '# THIS FILE IS GENERATED BY bind-acl.py'
+ print >> acl, 'acl ucs_networks {'
+ print >> acl, '\tlocalhost;'
+ for network in networks:
+ print >> acl, '\t%s;' % (network,)
+ print >> acl, '};'
+ subprocess.call(('rndc', '-p', '953', 'reconfig'))
+ finally:
+ listener.unsetuid()
+
+
+if __name__ == '__main__':
+ from univention.config_registry import ConfigRegistry
+ ucr = ConfigRegistry()
+ ucr.load()
+ setdata('ldapserver', ucr['ldap/server/name'])
+ setdata('basedn', ucr['ldap/base'])
+ setdata('binddn', ucr['ldap/hostdn'])
+ setdata('bindpw', open('/etc/machine.secret', 'r').read())
+ handler('', None, None)
--- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.proxy
+++ a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.proxy
@@ -1,15 +1,19 @@
@%@UCRWARNING=# @%@
-controls{
+controls {
inet 127.0.0.1
allow { @%@dns/master/address@%@; };
-};
+};
+
+include "/var/lib/bind/network-acls.conf";
+
options {
- directory "/var/cache/bind";
+ directory "/var/cache/bind";
@!@
-dns_allow_query = configRegistry.get('dns/allow/query')
-dns_allow_query_cache = configRegistry.get('dns/allow/query/cache')
+NETWORK_ACL = 'ucs_networks'
+dns_allow_query = configRegistry.get('dns/allow/query', NETWORK_ACL)
+dns_allow_query_cache = configRegistry.get('dns/allow/query/cache', NETWORK_ACL)
dns_allow_transfer = configRegistry.get('dns/allow/transfer')
if dns_allow_query:
@@ -25,6 +29,7 @@ if configRegistry.is_true('dns/ipv6', True ):
val = 'any'
print '\tlisten-on-v6 { %s; };' % val
@!@};
+
logging {
category lame-servers { null; };
category default{ default_syslog; };
--- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.samba4
+++ a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.samba4
@@ -1,14 +1,18 @@
@%@UCRWARNING=# @%@
-controls{
+controls {
inet 127.0.0.1
allow { @%@dns/master/address@%@; };
-};
+};
+
+include "/var/lib/bind/network-acls.conf";
+
options {
- tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
+ tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
@!@
-dns_allow_query = configRegistry.get('dns/allow/query')
-dns_allow_query_cache = configRegistry.get('dns/allow/query/cache')
+NETWORK_ACL = 'ucs_networks'
+dns_allow_query = configRegistry.get('dns/allow/query', NETWORK_ACL)
+dns_allow_query_cache = configRegistry.get('dns/allow/query/cache', NETWORK_ACL)
dns_allow_transfer = configRegistry.get('dns/allow/transfer')
if dns_allow_query:
@@ -32,7 +36,6 @@ logging {
};
};
-
@!@
if configRegistry.get('dns/forwarder1') or configRegistry.get('dns/forwarder2') or configRegistry.get('dns/forwarder3'):
print '\n# Found a forwarder in ucr variables, using forwarder in zone ".".'
@@ -100,4 +103,3 @@ print '''dlz "samba4.zone" {
@!@
include "/etc/bind/local.conf.samba4";
-
--- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/changelog
+++ a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/changelog
@@ -1,3 +1,9 @@
+univention-bind (9.0.5-1) unstable; urgency=low
+
+ * Bug #37553: Add ACL list to prevent Open DNS Resolver
+
+ -- Philipp Hahn Thu, 15 Jan 2015 14:22:30 +0100
+
univention-bind (9.0.4-1) unstable; urgency=low
* If no dns/forwarder is set, use the nameserver variables as forwarder
--- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.dirs
+++ a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.dirs
@@ -1,9 +1,4 @@
-usr/lib/univention-directory-listener/system
-usr/lib/univention-install/
-etc/bind
etc/runit/univention-bind
etc/runit/univention-bind-proxy
etc/runit/univention-bind-samba4
-etc/init.d
-usr/share/univention-bind/
var/cache/univention-bind-proxy
--- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.install
+++ a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.install
@@ -1,4 +1,5 @@
bind.py usr/lib/univention-directory-listener/system
+bind-acl.py usr/lib/univention-directory-listener/system/
05univention-bind.inst usr/lib/univention-install
etc/bind/db.root.fake etc/bind
90univention-bind-post.inst usr/lib/univention-install
--- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.postinst
+++ a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.postinst
@@ -32,17 +32,17 @@
. /usr/share/univention-lib/all.sh
+touch /var/lib/bind/network-acls.conf
+
#DEBHELPER#
# configure firewall
ucr set security/packetfilter/package/univention-bind/udp/53/all=ACCEPT \
security/packetfilter/package/univention-bind/tcp/53/all=ACCEPT \
- security/packetfilter/package/univention-bind/udp/7777/all=ACCEPT \
- security/packetfilter/package/univention-bind/tcp/7777/all=ACCEPT \
security/packetfilter/package/univention-bind/udp/53/all/en="DNS proxy" \
security/packetfilter/package/univention-bind/tcp/53/all/en="DNS proxy" \
- security/packetfilter/package/univention-bind/udp/7777/all/en="DNS server" \
- security/packetfilter/package/univention-bind/tcp/7777/all/en="DNS server"
+ security/packetfilter/package/univention-bind/udp/7777/all/en="Backend DNS server" \
+ security/packetfilter/package/univention-bind/tcp/7777/all/en="Backend DNS server"
[ -x "/etc/init.d/univention-firewall" ] && invoke-rc.d univention-firewall restart
chmod g+w /etc/bind
@@ -51,7 +51,8 @@ chmod g+w /etc/bind/*
univention-config-registry set 'bind/autostart?yes' \
'dns/ipv6?yes' \
'nameserver/external?false' \
- 'dns/allow/query?any' \
+ 'dns/allow/query?ucs_networks' \
+ 'dns/allow/query/cache?ucs_networks' \
'dns/allow/transfer?any' \
'dns/dlz/debug/level?0' \
'dns/debug/level?0'
--