On 3/28/23 11:28 AM, Matus UHLAR - fantomas wrote:
Yes, this is one of the problem "authoritative zones for local use".
On 28.03.23 12:18, Grant Taylor via bind-users wrote:
Authorizing the /zone/ for local use wasn't the problem. The problem
was that the world could get some of that zone's data from the query
cache even if they couldn't query the zone directly.
when was this?
querying cache is by default allowed for the same clients as recursion,
perhaps unless it was old BIND version.
The default root "hint" zone is only available for those who have
recursion available.
I feel like the "root hint zone" is considerably different than "root
zone" proper. The fact that they have different zone types seems to
support that.
yes. The content of hint zone is abused to generate aplification attack:
Mar 26 16:03:53 fantomas named[1654]: client @0xe7379d50 195.88.25.138#59467
(.): query (cache) './ANY/IN' denied
If you have local root zone, response is provided by default, it can be
huge:
% dig +noanswer +noadditional +nocomments +nocmd +noquestion -t any .
@fantomas.fantomas.sk
;; Query time: 0 msec
;; SERVER: 195.80.174.185#53(195.80.174.185)
;; WHEN: Wed Mar 29 09:23:27 CEST 2023
;; MSG SIZE rcvd: 2904
but default "type hint" root is treated as cache and REFUSED is sent.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users