ISC Support Bulletin – July 2007
Document last updated: 2007-07-30There has been some confusion surrounding the changes to the “allow-recursion” and “allow-query-cache” options made with BIND 9.4.1-P1.
This document will attempt to clarify the change and the impact that it makes on BIND servers.
In BIND 9.3, there was no segregation of queries between cache and authoritative data.
The release of BIND 9.4 added fine-grained differentiation between queries against authoritative data (“allow-query”) and cached data (“allow-query-cache”). This allows more precise control, particularly if you do not want your clients to use any cached data, for example, in an authoritative-only nameserver.
Prior to the release of BIND 9.4.1-P1, the default action of “allow-recursion” and “allow-query-cache” was to permit the query. The P1 patch to BIND 9.4.1 caused two changes in this behavior:
1) If not explicitly set, the ACLs for “allow-query-cache” and “allow-recursion” were set to “localnets; localhost;”.
2) If either “allow-query-cache” or “allow-recursion” was set, the other would be set the same value.
Upgrading from the BIND 9.3 branch to BIND 9.4.1-P1 will significantly restrict those servers that were previously recursive servers for more than “localhost; localnets;” unless configuration changes are made.
To retain the behavior prior to BIND 9.4.1-P1, the following entries should be created in your named.conf file:
Code:options {
…
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
…
};We strongly advise against this configuration because clients spoofing queries can use your servers to launch distributed denial-of-service attacks.
The recommended method is to create ACLs that match hosts that should be allowed access to cache and recursion on the servers. For example, if you wanted to provided recursion and access to the cache to clients you trusted, you could list them in an ACL such as the following:
Code:acl “trusted” {
192.168.0.0/16;
10.153.154.0/24;
localhost;
localnets;
};options {
…
allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
…
};This example ACL includes 192.168.0.0/16 and 10.153.154.0/24 as sample networks that would require access. You must replace these sample networks with networks that correctly reflect your environment. This will allow anyone to query your server for authoritative data, but only those hosts within the “trusted” ACL access to your cache and recursion.
After making the changes, restart named/bind and it should now be responding to queries.
If you would like to create an ACL to limit access put this above “options” to create an access control list:
acl "trusted" {
192.168.0.0/16;
10.153.154.0/24;
localhost;
localnets;
};
Now within the options you need to change the settings to allow recursion and query-cache from this trusted ACL only. We want to keep allow-query any because you want the server to answer to queries for dns zones that exists or we host.
allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
Restart named/bind and you should be all set with an ACL. Make sure to edit the ACL list with the IP address ranges for your servers or network.