Debian Bug report logs -
#355787
bind: default config allows recursive queries which could allows remote attackers to cause a DoS
Reported by: SALVETTI Djoume <djoume@taket.org>
Date: Tue, 7 Mar 2006 21:49:06 UTC
Severity: normal
Tags: security, wontfix
Done: LaMont Jones <lamont@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#355787; Package bind.
(full text, mbox, link).
Acknowledgement sent to SALVETTI Djoume <djoume@taket.org>:
New Bug report received and forwarded. Copy sent to LaMont Jones <lamont@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: bind
Version: 1:8.4.6-1
Severity: normal
Good day,
>From CVE-2006-0987 :
> The default configuration of ISC BIND, when configured as a caching
> name server, allows recursive queries and provides additional
> delegation information to arbitrary IP addresses, which allows remote
> attackers to cause a denial of service (traffic amplification) via
> DNS queries with spoofed source IP addresses.
References :
http://www.securityfocus.com/archive/1/archive/1/426368/100/0/threaded
http://dns.measurement-factory.com/surveys/sum1.html
http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf
I've checked that default install on debian allows recursive queries but
I'm not sure if this is really a problem or not.
The workaround I can see would be to listen only on loopback for
non-authoritative queries (as djbdns do) if we want to have a caching
server (with recursion).
But I'm far from being a DNS expert so perhaps I've missed something...
Regards
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Versions of packages bind depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii netbase 4.21 Basic TCP/IP networking system
-- no debconf information
Tags added: security
Request was from Djoume SALVETTI <djoume@taket.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: wontfix
Request was from LaMont Jones <lamont@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug reassigned from package `bind' to `bind9'.
Request was from Marco Rodrigues <gothicx@sapo.pt>
to control@bugs.debian.org.
(Sun, 13 Jul 2008 22:08:09 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#355787; Package bind9.
(full text, mbox, link).
Acknowledgement sent to Marco Rodrigues <gothicx@sapo.pt>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>.
(full text, mbox, link).
Message #16 received at 355787@bugs.debian.org (full text, mbox, reply):
reassign 402231 bind9
reassign 92147 bind9
reassign 52745 bind9
reassign 197670 bind9
reassign 481921 bind9
reassign 157245 bind9
reassign 248193 bind9
reassign 442910 bind9
reassign 81252 bind9
reassign 156349 bind9
reassign 94760 bind9
reassign 212625 bind9
reassign 260915 bind9
reassign 402232 bind9
reassign 86488 bind9
reassign 149342 bind9
reassign 282239 bind9
reassign 128129 bind9
reassign 62547 bind9
reassign 106789 bind9
reassign 46856 bind9
reassign 85081 bind9
reassign 242579 bind9
reassign 45470 bind9
reassign 50013 bind9
reassign 88326 bind9
reassign 95773 bind9
reassign 190577 bind9
reassign 53550 bind9
reassign 132492 bind9
reassign 24280 bind9
reassign 441290 bind9
reassign 88982 bind9
reassign 355787 bind9
reassign 199252 bind9
reassign 70079 bind9
reassign 213706 bind9
reassign 129710 bind9
reassign 170872 bind9
reassign 86013 bind9
reassign 280955 bind9
reassign 260759 bind9
reassign 99538 bind9
reassign 234167 bind9
reassign 132582 bind9
reassign 81190 bind9
reassign 352054 bind9
reassign 169124 bind9
reassign 132494 bind9
reassign 55032 bind9
reassign 85909 bind9
reassign 197669 bind9
thanks
The bind package has been removed from Debian testing, unstable and
experimental. I am reassigning its bugs to the bind9 package. Please
have a look at them, and close them if they don't apply to
bind9 anymore.
Don't hesitate to reply to this mail if you have any question.
--
Marco Rodrigues
http://Marco.Tondela.org
Reply sent
to LaMont Jones <lamont@debian.org>:
You have taken responsibility.
(Wed, 29 Jul 2009 13:18:05 GMT) (full text, mbox, link).
Notification sent
to SALVETTI Djoume <djoume@taket.org>:
Bug acknowledged by developer.
(Wed, 29 Jul 2009 13:18:05 GMT) (full text, mbox, link).
Message #21 received at 355787-done@bugs.debian.org (full text, mbox, reply):
> >From CVE-2006-0987 :
> > The default configuration of ISC BIND, when configured as a caching
> > name server, allows recursive queries and provides additional
> > delegation information to arbitrary IP addresses, which allows remote
> > attackers to cause a denial of service (traffic amplification) via
> > DNS queries with spoofed source IP addresses.
The default was changed in 9.4 to not recurse by default.
lamont
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 27 Aug 2009 07:33:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:26:09 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon