'uname -rms' Linux 2.6.30.4-spott-gecd13d4 i686 '/l/sbin/named -V' BIND 9.7.0a2 built with '--prefix=/opt/bind/9.7.0a2' '--with-openssl=yes' '--disable-linux-caps' '--sysconfdir=/usr/local/etc' '--localstatedir=/var' 'CFLAGS=-O'
I want to disallow rebinding-attacks in a caching resolver. In the top-level options I have: deny-answer-addresses { 127/8; 192.168/16; 10/8; 172.16/12; } except-from { "zen.spamhaus.org"; "dnsbl-1.uceprotect.net"; "dnsbl-1.uceprotect.net"; "ix.dnsbl.manitu.net"; }; I get: received SIGHUP signal to reload zones loading configuration from '/usr/local/etc/named.conf' ... reloading configuration failed: already exists Putting a suitably modified version of "deny-answer-addresses" into a forwarder zone returns: received SIGHUP signal to reload zones loading configuration from '/usr/local/etc/named.conf' /usr/local/etc/named.conf:83: unknown option 'deny-answer-addresses' I also tried to split "deny-answer-addresses" into several pieces, but this yields "'deny-answer-addresses' redefined ...". Countering dns-rebinding in a caching resolver always has to account for at least two practical problems: anti-spam RBLs and providers running split horizon. To handle the former, it should be possible to specify a statement, better several statements where the denied IP-ranges can be fitted with a number of exception domains. Split horizon would require to put "deny-answer-addresses" into forwarding zones. IMO the current usage szenario, if I understood the configuration correctly, is only suited to domain owners running split horizon. But maybe this is a bug? clemens _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users