Univention Bugzilla – Bug 37553
bind9 configures as open resolver - DDoS
Last modified: 2016-09-21 18:10:22 CEST
Our BIND allows recursive queries from any host and can be mis-used for DDoS attacks: $ dig +short test.openresolver.com TXT @192.168.0.135 # UCS-3.2-4 "open-resolver-detected" $ dig +short test.openresolver.com TXT @10.200.17.35 # UCS-3.2-4 S4 "open-resolver-detected" $ dig +short test.openresolver.com TXT @10.200.17.70 # UCS-4.0-0 S4 "open-resolver-detected" See <http://openresolverproject.org/> for more background information
1. Using "localnets" would break setups with more then one subnet. 2. Add listener module to track UDM entries "networks/network" and create ACL from that.
Created attachment 6606 [details] Add ACL list to prevent Open DNS Resolver
(In reply to Philipp Hahn from comment #2) > Created attachment 6606 [details] > Add ACL list to prevent Open DNS Resolver We should solve it in the following way: - A UCR variable contains the IP addresses and the networks which can query the DNS server - During a new installation all local networks should be set to the UCR variable: http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces http://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses - During an update the access should be given to all - A SDB article and the documentation should describe how to add another IP address or network. Please create for anything else you want to change a separate bug.
The bug was introduced by Bug #17270, where "any" was introduced for backward compatibility with a previous UCS-2.3 version. The UCRV 'dns/allow/query/cache' was introduced back then and defaults to the vulnerable "any". r57534 | Bug #37553 BIND: Open Resolver Set dns/allow/query/cache on upgrades: Note: this will not work until a new UCS-ISO is built! SDB: <http://sdb.univention.de/1298> Note: needs to be updated after erratum number is allocated. r57538 | Bug #37553 BIND: Open Resolver YAML 2015-01-26-univention-bind.yaml Further reading: BIND9: <http://www.team-cymru.org/Services/Resolvers/instructions.html> BIND9 "localnets": <http://www.zytrax.com/books/dns/ch7/address_match_list.html#reserved-names> BIND9 queries: <http://www.zytrax.com/books/dns/ch7/queries.html> BIND9 security: <http://www.aitechsolutions.net/dnsservertips.html> Windows security: <http://technet.microsoft.com/en-us/library/cc731367.aspx> Windows "localnets": <http://technet.microsoft.com/en-us/library/cc755068.aspx>
For QA: For testing you can use the "dig" commands from comment 0, but must query from outside the private networks. (or change the UCRV to not include the network you're querying from).
r57543 | Bug #37553 BIND: Open Resolver YAML r57542 | Bug #37553 BIND: Open Resolver Only on first install
YAML: OK Code review: OK Tests: OK
For now we will keep "localnets" in the list of allowed hosts, as that might cause more harm than benefit: - Joining an UCS system would create empty /etc/apt/sources.list.d/* files, as resolving "updates.software-univention.de" and "appcenter.software-univention.de" would no longer work for them. - In EC2 10.X.Y.Z/23 is used, which is allowed by 10/8 anyway, so removing "localnets" there would change anything. - There might be other ISPs, which have large shared subnets, where one user can abuse an UCS system of an other user. AFAIK that is not the norm and individual customers get individual sub-nets for their own. Created Bug #37628 for UMC System Diagnostics.
<http://errata.univention.de/ucs/4.0/66.html>