From: Tom Jennings (tomj@wps.com) Subject: Sub-domain RR leakage? Newsgroups: comp.protocols.dns.bind Date: 2000/07/18 We have a web-based site with a many hosts in RFC1918 space, all in sub-domains, and one public second-level domain containing our public hosts. Most of the subdomains are on a few internal nameservers (with 10.* addresses) and aren't a problem. Our "external" nameserver ns1.foo.com (domain names changed to protect the guilty) is primary for our top (2nd-level) domain; primary for one subdomain; and secondaries various other sub-domains (see CHART). ns1.foo.com is our enterprise-wide nameserver, as it knows all inside and outside data. It runs 8.2.2-p5 and listens on its one interface (has a static in its firewall). Queries and transfers of the various domains are strictly limited by BIND ACLs and I verified this carefully. The problem is this: BIND is including RR data from sub-domains in zone-transfers of the top domain. The primary zone file FOO.COM contains NO references to ANY subdomain, yet named-xfer includes data from all subdomains in the transfer to a secondary. I ran named-xfer manually and verified this. And of course since the secondares doesn't have my ACLs, queries for subdomain data against secondaries returns RRs containing 10.* addresses. Tell me it ain't so. I assume this is a screwup of mine (I can fix those easily). Any ideas? HALP! tomj CHART: who can who can zone auth axfr? query? foo.com primary one ISP NS ANY SUB1.foo.com primary two int. NS 10/8 sub2.foo.com secondary none 10/8 sub3.foo.com secondary none 10/8 ----------------------------------------------------------------------- ZONE foo.com ON PRIMARY: (condensed) $ORIGIN foo.com. @ in SOA foo.com. networking.foo.com. ( ; yyyymmddnn 2000071302 ; serial 15m ; refresh ((((just changed NS's!)))) 5m ; retry ((((have mercy!)))) 30d ; expiry 1d ; minimum ) in ns ns1.foo.com. in ns ns2.foo.com. ((((A RRs follow)))) ----------------------------------------------------------------------- ZONE foo.com ON SECONDARY AFTER AXFR: (condensed) ; BIND version named 8.2.2-P5 Mon Feb 28 10:17:53 EST 2000 ; BIND version root@porky.devel.redhat.com:/usr/src/bs/BUILD/bind-8.2.2_P5/src/bin/named ; zone 'foo.com' last serial 2000071301 ; from 10.4.0.13:53 (local 10.8.0.3) using AXFR at Thu Jul 13 13:53:11 2000 $ORIGIN com. foo 86400 IN SOA foo.com. networking.foo.com. ( 2000071302 900 300 2592000 86400 ) 86400 IN NS ns1.foo.com. 86400 IN NS ns2.foo.com. 86400 IN NS ((((ISP nameserver)))) 86400 IN NS ((((ISP nameserver)))) $ORIGIN foo.com. (((( the correct A RRs for this domain here)))) ((((Leaked data follows this point)))) SUB1 3600 IN NS ns2.SUB1.foo.com. $ORIGIN SUB1.foo.com. ((((A RRs here)))) ns2 86400 IN A 10.8.0.3 $ORIGIN foo.com. ((((A RRs here)))) sub2 3600 IN NS ns.sub2.foo.com. $ORIGIN sub2.foo.com. ((((A RRs here)))) ns 3600 IN A 10.1.100.1 $ORIGIN foo.com. ((((A RRs here)))) sub2 3600 IN NS ns2.sub2.foo.com. ... ... ... ----------------------------------------------------------------------- NAMED.CONF: (condensed) options { /* By default, allow inside users to query, only. */ allow-query { 127/8; 10/8; 192.168/16; }; also-notify { 10.8.0.3; 10.1.100.1; 10.5.100.1; }; /* By default, only internal nameservers can axfr */ allow-transfer { 127.0.0.1; 10.4.0.13; 10.8.0.3; 10.1.100.1; 10.5.100.1; }; } zone "foo.com" { type master; file "foo.com"; allow-query { ANY; }; /* this domain is public */ allow-transfer { 127.0.0.1; 64.209.167.75; 64.41.147.13; (((( ISP nameservers )))) }; }; /* We primary this sub-domain */ zone "SUB1.foo.com" { type master; file "SUB1.foo.com"; }; /* We secondary N of these sub-domains */ zone "sub2.foo.com" { type slave; file "secondary/sub2.foo.com"; masters { 10.1.100.1; 10.5.100.1; }; }; --- INFORMATION GLADLY GIVEN BUT SAFETY REQUIRES AVOIDING UNNECESSARY CONVERSATION From: Tom Jennings (tomj@wps.com) Subject: Re: Sub-domain RR leakage? Newsgroups: comp.protocols.dns.bind Date: 2000/07/20 > On Tue, Jul 18, 2000 at 10:03:01AM -0700, Tom Jennings wrote: > ... > > The problem is this: BIND is including RR data from sub-domains in > > zone-transfers of the top domain. The primary zone file FOO.COM > > contains NO references to ANY subdomain, yet named-xfer includes > > data from all subdomains in the transfer to a secondary. I ran > > named-xfer manually and verified this. And of course since the > > secondares doesn't have my ACLs, queries for subdomain data against > > secondaries returns RRs containing 10.* addresses. > ... On Tue, 18 Jul 2000, Joseph S D Yao wrote: > IIRC, known bug, fixed in BIND 9.*. Oh great. I can't think of a workaround other than installing a second ethernet card, even on the same network, and running two BINDs and not letting them talk (which presents another whole series of problems, eg. I really NEED to secondary!). Is there another solution? I won't even ask when BIND 9.x will be out. Thanks for the reply though (really :-). At least I'm not crazy (more accurately, this problem isn't evidence of that). tomj --- INFORMATION GLADLY GIVEN BUT SAFETY REQUIRES AVOIDING UNNECESSARY CONVERSATION Ref: Newsgroups - comp.protocols.dns.bind (18-Jul-2000) http://groups.google.com/groups?hl=en&lr=&safe=off&ic=1&th=7761c5ec039338b2,3 &seekm=Pine.BSF.4.10.10007200912460.64951-100000%40fido.wps.com#p By: Tom Jennings