From markk@knigma.org  Wed Apr  3 11:39:15 2013
Return-Path: <markk@knigma.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	by hub.freebsd.org (Postfix) with ESMTP id 9821E93E
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  3 Apr 2013 11:39:15 +0000 (UTC)
	(envelope-from markk@knigma.org)
Received: from shrewd.pub.knigma.org (shrewd.ipv6.pub.knigma.org [IPv6:2001:8b0:b0:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 3FC7E859
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  3 Apr 2013 11:39:15 +0000 (UTC)
Received: from shrewd.pub.knigma.org (localhost [127.0.0.1])
	by shrewd.pub.knigma.org (8.14.5/8.14.5) with ESMTP id r33BdCqA077828
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 3 Apr 2013 12:39:12 +0100 (BST)
	(envelope-from mkn@shrewd.pub.knigma.org)
Received: (from mkn@localhost)
	by shrewd.pub.knigma.org (8.14.5/8.14.5/Submit) id r33BdCdq077827;
	Wed, 3 Apr 2013 12:39:12 +0100 (BST)
	(envelope-from mkn)
Message-Id: <201304031139.r33BdCdq077827@shrewd.pub.knigma.org>
Date: Wed, 3 Apr 2013 12:39:12 +0100 (BST)
From: Mark Knight <markk@knigma.org>
Reply-To: Mark Knight <markk@knigma.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: named.conf comment to slave root suggests potentially dangerous BIND configuration
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         177607
>Category:       conf
>Synopsis:       named.conf comment to slave root suggests potentially dangerous BIND configuration
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 03 11:40:00 UTC 2013
>Closed-Date:    
>Last-Modified:  Wed Apr  3 15:00:00 UTC 2013
>Originator:     Mark Knight
>Release:        FreeBSD 9.1-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD shrewd.pub.knigma.org 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r244649: Thu Dec 27 22:02:49 GMT 2012 root@shrewd.pub.knigma.org:/sys/amd64/compile/SHREWD amd64

>Description:
	
	The comment in the default named.conf encourages users to slave the root but does not provide
	an example configuration that prevent a name server being used as an amplifier in DDOS attacks.
	Users who adopt this configuration by uncommenting the supplied entries are likely to receive
	abuse reports or be unwitting participants in a DDOS attack.
>How-To-Repeat:
	Uncomment zone "." entry and then run dig -t ns @x.x.x.x . from the Internet.
>Fix:
	Consider applying a patch such as enclosed below to the default configuration file to help users
	avoid this misconfiguration if they uncomment the relevant slave zone configurations.

Index: etc/namedb/named.conf
===================================================================
--- etc/namedb/named.conf	(revision 247765)
+++ etc/namedb/named.conf	(working copy)
@@ -104,6 +104,7 @@
 	masters {
 		192.5.5.241;	// F.ROOT-SERVERS.NET.
 	};
+	allow-query { localhost; };
 	notify no;
 };
 zone "arpa" {
@@ -112,6 +113,7 @@
 	masters {
 		192.5.5.241;	// F.ROOT-SERVERS.NET.
 	};
+	allow-query { localhost; };
 	notify no;
 };
 */

>Release-Note:
>Audit-Trail:

From: Maxim Konovalov <maxim.konovalov@gmail.com>
To: Mark Knight <markk@lnigma.org>
Cc: bug-followup@freebsd.org
Subject: Re: conf/177607: named.conf comment to slave root suggests potentially
 dangerous BIND configuration
Date: Wed, 3 Apr 2013 16:03:04 +0400 (MSK)

 Hello,
 
 [...]
 > >Description:
 >
 > 	The comment in the default named.conf encourages users to slave the root but does not provide
 > 	an example configuration that prevent a name server being used as an amplifier in DDOS attacks.
 > 	Users who adopt this configuration by uncommenting the supplied entries are likely to receive
 > 	abuse reports or be unwitting participants in a DDOS attack.
 > >How-To-Repeat:
 > 	Uncomment zone "." entry and then run dig -t ns @x.x.x.x . from the Internet.
 
 With the "listen-on { 127.0.0.1; };" at the line 22 it won't hurt
 anybody.  If you are going to change this setting than you have more
 work to secure your named server.
 
 -- 
 Maxim Konovalov

From: Maxim Konovalov <maxim.konovalov@gmail.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: conf/177607: named.conf comment to slave root suggests potentially
 dangerous BIND configuration
Date: Wed, 3 Apr 2013 16:05:14 +0400 (MSK)

 Just for the record, mail to the submitter bounces:
 
    ----- Transcript of session follows -----
 550 5.1.2 <markk@lnigma.org>... Host unknown (Name server: lnigma.org:
 host not found)
 
 -- 
 Maxim Konovalov

From: Mark Knight <markk@knigma.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/177607: named.conf comment to slave root suggests potentially
 dangerous BIND configuration
Date: Wed, 03 Apr 2013 13:37:02 +0100

 Sorry, typo in my mail address - should be markk@knigma.org.
 
 In the proposed patch - allow-query { localnets; }; would be better than 
 localhost. I still think it better to make this example more robust.
 
 Best regards, Mark
 

From: Maxim Konovalov <maxim.konovalov@gmail.com>
To: Mark Knight <markk@knigma.org>
Cc: bug-followup@freebsd.org
Subject: Re: conf/177607: named.conf comment to slave root suggests potentially
 dangerous BIND configuration
Date: Wed, 3 Apr 2013 18:00:20 +0400 (MSK)

 >  Sorry, typo in my mail address - should be markk@knigma.org.
 >
 >  In the proposed patch - allow-query { localnets; }; would be better than
 >  localhost. I still think it better to make this example more robust.
 >
 I corrected your address in the Reply-To header.
 
 I still think that our named.conf is not a BIND security guide.  But
 this is just my opinion and I leave the PR.
 
 Still, don't understand why the PR has Severity serious and Priority
 high if we are speaking about the commented out example (even
 uncommented it won't hurt anybody) in the daemon that doesn't run by
 default.
 
 -- 
 Maxim Konovalov

From: Mark Knight <markk@knigma.org>
To: Maxim Konovalov <maxim.konovalov@gmail.com>
Cc: bug-followup@freebsd.org
Subject: Re: conf/177607: named.conf comment to slave root suggests potentially
 dangerous BIND configuration
Date: Wed, 03 Apr 2013 15:51:35 +0100

 Thanks for fixing up the Repy-To.
 
 I stupidly uncommented these lines on a box *assuming* it was safe. Once 
 upon a time responding to root DNS queries wouldn't have been considered 
 a bad thing. However today I received an abuse@ report to thank me for 
 my error. The comment above the stanza doesn't mention the amplifier 
 threat (although it does mention general caution) and appears to offer a 
 good suggestion for improving resilience and reducing net traffic that's 
 "ready to run". Clearly it isn't.
 
 My rationale was that it's a quick and easy fix and given the recent 
 attacks it was worth giving this a high priority in the name of 
 pro-active security. It's a potential security issue and is therefore 
 serious. Apologies if I've exaggerated the threat.
>Unformatted:
