Univention Bugzilla – Bug 44380
AXFR should be limited to UCS system roles only
Last modified: 2024-03-04 11:00:43 CET
dig +noall +answer +onesoa +multiline @10.1.0.10 <<DOMAON>> AXFR delivers the whole DNS zone file. This is nice for debugging, but should be limited to UCS domain controler roles. Clients in the network should not be able to perform this action. See user feedback at Ticket#2017041321000479 for more details.
Even worse: UCS does NOT use zone transfer between UCS servers, as they all pull the zone data directly from LDAP; the zone transfer is ONLY used between the LDAP-named and PROXY-named when UCRV dns/backend=ldap is used. Notifications are still sent, but ignored by the named: > named[1142]: received control channel command 'reload phahn.qa' > named[1145]: received control channel command 'reload phahn.qa' We should drop that 2nd reload from bind.py:213-215, as this duplicated the notify mechanism used between the LDAP-named and PROXY-named. > named[1145]: zone phahn.qa/IN: Transfer started. > named[1145]: transfer of 'phahn.qa/IN' from 127.0.0.1#7777: connected using 127.0.0.1#53005 > named[1142]: client 127.0.0.1#53005 (phahn.qa): transfer of 'phahn.qa/IN': AXFR-style IXFR started > named[1145]: zone phahn.qa/IN: transferred serial 24 > named[1145]: transfer of 'phahn.qa/IN' from 127.0.0.1#7777: Transfer completed: 1 messages, 17 records, 603 bytes, 0.007 secs (86142 bytes/sec) > named[1145]: zone phahn.qa/IN: sending notifies (serial 24) > named[1142]: client 127.0.0.1#53005 (phahn.qa): transfer of 'phahn.qa/IN': AXFR-style IXFR ended > named[1142]: zone phahn.qa/IN: zone serial (24) unchanged. zone may fail to transfer to slaves. > named[1142]: zone phahn.qa/IN: sending notifies (serial 24) > named[1145]: client 127.0.0.1#4252: received notify for zone 'phahn.qa' > named[1145]: zone phahn.qa/IN: notify from 127.0.0.1#4252: zone is up to date > named[1145]: client 10.200.17.30#49733: received notify for zone 'phahn.qa' > named[1145]: zone phahn.qa/IN: refused notify from non-master: 10.200.17.30#49733 > named[1145]: client 10.200.17.30#34030: received notify for zone 'phahn.qa' > named[1145]: zone phahn.qa/IN: refused notify from non-master: 10.200.17.30#34030 > named[1145]: client 10.200.17.7#31415: received notify for zone 'phahn.qa' > named[1145]: zone phahn.qa/IN: refused notify from non-master: 10.200.17.7#31415 These are the notifies from the PROXY-named on the DC-Master and from both LDAP-/PROXY-named on the DC-Backup; they are ignored. We should just disable all notifications with notify explicit; and configure an explicit notify between LDAP-named and PROXY-named with also-notify {127.0.0.1;}; We probably need to add a new UCRV to make that configurable as some customers use external DNS servers pushed from UCS systems. See <http://www.zytrax.com/books/dns/ch7/xfer.html#notify> FYI: As the data in LDAP is not secret, any domain user (student) can pull the DNS data from there even when zone transfers are disabled: ldapsearch -Y GSSAPI -b "cn=dns,$(/usr/sbin/ucr get ldap/base)" '(objectClass=dNSZone)' dn So disallowing the zone transfer does not buy you much. Nevertheless it should be disabled by default as this is current-best-practice for DNS servers.
Created attachment 8780 [details] Limit AXFR 166d48d27a Bug #44380 DNS: Only notify local PROXY-named f23e0ea05f Bug #44380 DNS: Limit zone transfers to localhost TODO: Add new UCRV to configure AXFR from PROXY/SAMBA-named for external NS
There is a Customer ID set so I set the flag "Enterprise Customer affected".
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
At least it should be documented and how to block this.