[BlueOnyx:11631] Re: BIND config

George F. Nemeyer tigerwolf at tigerden.com
Sat Oct 27 00:33:47 -05 2012 

On Sat, 27 Oct 2012, Michael Stauber wrote:

>   // recursion access denied      <---- WHAT's this then??
>
>   // recursion allowed
> };
>
> ... then recursion is enabled.

Even though it also says it's denied just before?   If the last line is
what's 'real' then the line stating denied before is confusing.

Clearly, the UI puts in IPs for which you've *specified* to be allowed, so
that makes sense...recursion for *those* is allowed.

But with no IPs specifically entered, does recursion (presumably to
everyone) then defaulted to on or off?

Note the mouse-over help for the info for the Query Request box says 'IP
addresses that are allowed to request recursion query"... which implies
that if you don't put some IPs in the box, NOBODY gets recursion.

If it defaults to 'on' with no explicit IPs entered, how to you turn it
OFF with the GUI?

Perhaps it's the terminology used that's the issue:

When I see "// recursion allowed", I don't read that as 'this box is
capable of recursion', but rather "Anyone is allowed to use recursion".

If the comment is meant to mean 'The box is capable of recursion' then
perhaps wording to that effect is in order.


> All in all recursion is a necessary evil. In /etc/resolv.conf you need
> to use at least one DNS server that allows recursion.

Yes, if you want to reach outside hosts, certainly.

We allow recursion for all machines in our network IP space by
specifically including those in the 'allow box' (or in named.conf 'allow
recursion' lines of non-BX boxes with nameservers), as shown in the
example.  Recursion for outside queries is not allowed.  We give info to
the outside only for zones for which we are authoritative.

> Otherwise your server will be unable to resolve anything that your
> nameservers aren't authoritative for.  Which screws up reverse lookups
> and throws a wrench into connecting to any service (until the recursion
> lookup of that service times out), screws up mailservers and impairs
> logging.

Yes.  That's why we specifically allow recursion for those.

> Sure, there are ways around it: Use one open nameserver that allows
> recursion.  That can be one from your ISP, a public one like the Google
> nameservers (8.8.8.8 or 8.8.4.4) or similar. Or allow recursion on at
> least one of your own nameservers and use that one instead. At the end
> of the day I usually use one of my own nameservers, because recursion is
> such an important matter that I'd rather have it in my own hands than to
> offload it to somewhere beyond my control.

We do all our own nameservice as well.  Internal machines all use our
servers (and by being allowed, can recurse through them), and external
machines can ask for info for domains we're authoritatve for (but can't
recurse).  NONE are fully open for outside people to recurse through (at
least according to external test sites).

> Of course at the same time it's wise to limit the recursion to only
> allow it from the IP's (or address ranges) that you actually use.

Agreed!

> > Please see my other post with cut/paste examples of named.conf with and
> > without recursion IPs being included.
>
> Yeah, I've seen that. That's what I'd expect to see.

I'd have expected to see:

  // zone transfer access denied
  allow-transfer { none; };
  // recursion access denied
  allow-recursion {"none";};
  // recursion allowed        <--- Server does recursion: yes



> You see, we operate on the principal assumption that someone who sets up
> a BlueOnyx wants to use the box for certain purposes. He uses the DNS
> server on his box as resolver in /etc/resolv.conf and also uses it as
> authoritative nameserver for the domains he hosts.

Ok.. no problem here.  We do that now.

> That means he will need recursion enabled.

Then that box/network should be put in the 'allow recursion' list

> We could take this one step further and could therefore add the primary
> IP of the box into the "Query Request Recursion Access by IP Address"
> input box of the "Advanced" tab in the DNS management page.

That seems like a good idea.

> Which would limit recursion to the primary IP of the server. Which would
> allow local recursion, but not a fully open recursion. If we'd do that,
> I'd fully expect a metric ton of "Help! My DNS server is not working!"
> questions from those people that thus far depended on their DNS servers
> to do recursion for other boxes as well.

Maybe the recursion part needs to be on the BASIC page:

   IPs of machines/networks listed may list this machine as a recursive
   server to the Internet. Any machine not listed here will receive DNS
   information *only* for domains hosted by this server, and NOT for
   hosts on the the outside Internet.

> This was a design decision that was made even way before the start of
> the BlueOnyx project and it even predates BlueQuartz. If we tackle that
> now and change this behavior at runtime, it'll be quite controversial
> and will cause hardships.

It would seem then, that all the BX/BQ boxes are 'open' by default, which
is *asking* for DoS DNS reflector/amplifier attacks like those happening
in the other post.  Box gets hit with a forged source query, replies with
info (sometimes much more than the 1-packet request) back to the victim.
It's also doing lots of extra work making recursive queries for anyone
that asks.

In the original days, open recursion was fine...lots did it...we did it.
We also did open mail relaying (as did most others) until spammers started
spewing from any open relay box they could find to deflect blame from the
actual origin of the mail.

> At the same time the existing GUI already gives you all the tools you
> need to either turn off recursion entirely, or to limit it to certain
> IP's or networks. I don't say that it's perfect or can't be improved.
> But it's there and can be used.

Again, it's just confusing in how it reports...and if it defaults to
'fully open', that's scary.

And it's unclear how you turn it off entirely, since putting in no
specific exceptions seems to leave it turned on according to your comment
about the resulting named.conf file...it's off briefly.. but then back on
again.

> > Also, the reply to that message from Gerald Waugh indicated a manual edit
> > worked for him, but the GUI didn't.
> I might have overlooked something, but I see a message from Gerald where
> he said he manually turned off recursion by editing named.conf. It
> doesn't say that it didn't work for him via the GUI.

His quote I was referencing:

     I have used this on several servers and it works, the gui does not
     help, tried it.

In the reflector attack case, even if he totally turns off recursion in
the server, then he'll still be sending back a 'refused' reply to the
victim...shorter and less size "amplification" than the real answer, but
still some outbound traffic to the victim...the only real way to deal with
that (absent any pending BIND revisions) is to drop the entire query
packet before it touches the server.


If it works with a manual edit, that will get lost when the file's
regenerated. :/

More information about the Blueonyx mailing list