Bug 37553
| Summary: | bind9 configures as open resolver - DDoS | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Philipp Hahn <hahn> |
| Component: | DNS | Assignee: | Philipp Hahn <hahn> |
| Status: | CLOSED FIXED | QA Contact: | Stefan Gohmann <gohmann> |
| Severity: | normal | ||
| Priority: | P5 | CC: | best, damrose, gohmann, gulden, jmm, requate, walkenhorst |
| Version: | UCS 4.0 | ||
| Target Milestone: | UCS 4.0-0-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=17270 | ||
| What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | Security | |
| Max CVSS v3 score: | |||
| Bug Depends on: | |||
| Bug Blocks: | 37628 | ||
| Attachments: | Add ACL list to prevent Open DNS Resolver | ||
|
Description
Philipp Hahn
1. Using "localnets" would break setups with more then one subnet. 2. Add listener module to track UDM entries "networks/network" and create ACL from that. Created attachment 6606 [details]
Add ACL list to prevent Open DNS Resolver
(In reply to Philipp Hahn from comment #2) > Created attachment 6606 [details] > Add ACL list to prevent Open DNS Resolver We should solve it in the following way: - A UCR variable contains the IP addresses and the networks which can query the DNS server - During a new installation all local networks should be set to the UCR variable: http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces http://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses - During an update the access should be given to all - A SDB article and the documentation should describe how to add another IP address or network. Please create for anything else you want to change a separate bug. The bug was introduced by Bug #17270, where "any" was introduced for backward compatibility with a previous UCS-2.3 version. The UCRV 'dns/allow/query/cache' was introduced back then and defaults to the vulnerable "any". r57534 | Bug #37553 BIND: Open Resolver Set dns/allow/query/cache on upgrades: Note: this will not work until a new UCS-ISO is built! SDB: <http://sdb.univention.de/1298> Note: needs to be updated after erratum number is allocated. r57538 | Bug #37553 BIND: Open Resolver YAML 2015-01-26-univention-bind.yaml Further reading: BIND9: <http://www.team-cymru.org/Services/Resolvers/instructions.html> BIND9 "localnets": <http://www.zytrax.com/books/dns/ch7/address_match_list.html#reserved-names> BIND9 queries: <http://www.zytrax.com/books/dns/ch7/queries.html> BIND9 security: <http://www.aitechsolutions.net/dnsservertips.html> Windows security: <http://technet.microsoft.com/en-us/library/cc731367.aspx> Windows "localnets": <http://technet.microsoft.com/en-us/library/cc755068.aspx> For QA: For testing you can use the "dig" commands from comment 0, but must query from outside the private networks. (or change the UCRV to not include the network you're querying from). r57543 | Bug #37553 BIND: Open Resolver YAML r57542 | Bug #37553 BIND: Open Resolver Only on first install YAML: OK Code review: OK Tests: OK For now we will keep "localnets" in the list of allowed hosts, as that might cause more harm than benefit: - Joining an UCS system would create empty /etc/apt/sources.list.d/* files, as resolving "updates.software-univention.de" and "appcenter.software-univention.de" would no longer work for them. - In EC2 10.X.Y.Z/23 is used, which is allowed by 10/8 anyway, so removing "localnets" there would change anything. - There might be other ISPs, which have large shared subnets, where one user can abuse an UCS system of an other user. AFAIK that is not the norm and individual customers get individual sub-nets for their own. Created Bug #37628 for UMC System Diagnostics. |