[nsp-sec] battling open resolvers - 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6

Rob Lowe rlowe at redhat.com
Mon Apr 22 20:59:55 EDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Here's the result of my inquiries relating to this issue...

Red Hat Enterprise 5 systems ship an older (pre 9.4.1) version of bind
and a default configuration file which did enable recursion, but were
limited (via the listen-on parameter) to the localhost interface.

It is conceivable that less knowledgeable administrators may, in the
course of configuring an authoritative server, change the listening
interface and neglect to change the recursion settings.

The engineering group responsible for bind is looking at improving the
documentation in the default configuration to better explain the risks
of doing so. If you're interested you should be able to view the
progress at:

https://bugzilla.redhat.com/show_bug.cgi?id=952311

Red Hat Enterprise 6 and above ships with a version of bind which is
more recent than 9.4.1 and retains the default behaviour of bind
described in:

https://kb.isc.org/article/AA-00269/0/What-has-changed-in-the-behavior-of-allow-recursion-and-allow-query-cache.html

specifically:

'If not explicitly set, the ACLs for "allow-query-cache" and
"allow-recursion" were set to "localnets; localhost;".'

I'm happy to discuss further on list or direct. Also, please feel free
to comment in the above mentioned bugzilla item.

Regards,
Rob.

On 12/04/13 07:42, Rob Lowe wrote:
> ----------- nsp-security Confidential --------
> 
> Hi,
> 
> I'm aware of this setting and I'm currently working with the 
> engineering product managers to try and improve our default
> configuration.
> 
> Steve, can I please forward your email internally? These stats are 
> useful in making a case. Does anyone (Jared?) have any statistics 
> taken from a larger sample size?
> 
> Thanks, Rob.
> 
> On 04/11/2013 07:27 PM, Steve Colam wrote:
>> ----------- nsp-security Confidential --------
> 
>> Hi Folks,
> 
>> We'll I've just done a version lookup on the 5413 & 31290 data
>> and something interesting has come up:
> 
>> dig +time=0 +tries=1 +retry=0 @<host> -c CH -t txt version.bind
> 
>> There are 5957 hosts currently listed (I've ignored the live 
>> timestamp)
> 
>> For the hosts that didn't time out, this is a uniq -c | sort -rn
>> | head -10 on the version data:
> 
>> 927    "9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6" 83    "Unsupported
>> on this platform" 51    "PowerDNS Recursor 3.2 $Id:
>> pdns_recursor.cc 1538 2010-03-06 11:39:03Z ahu $" 40
>> "dnsmasq-2.52" 36 "Microsoft DNS 6.1.7601 (1DB14556)" 32
>> "Microsoft DNS 6.0.6002 (1772487D)" 31    "Nominum Vantio
>> 5.2.0.1" 24    "9.2.4" 21 "ZyWALL DNS" 13    "Microsoft DNS
>> 6.1.7600 (1DB04228)"
> 
> 
>> So - looks like we have a Redhat problem with default open 
>> resolvers.... based on our data, if we can get this RedHat
>> resolver fixed, then 15% of the hosts are removed... a serious
>> result if that applies to the rest of the open resolvers at large
>> on the intertubes.
> 
>> Does anyone have a contact at Redhat we can reach out to ?
> 
>> Jared - can you share where you are getting your data from
>> please and your thoughts on why it does not align with the Cymru
>> data ? Also, is there an option to include some fingerprint info
>> so we can look for other similar large quick wins ?
> 
>> Cheers,
> 
>> Steve @ AS5413
> 
> 
> 
> 
> 
> 
>>>>>>> On Mon, 2013-03-25 at 09:54 -0400, Jared Mauch wrote:
>>>>>>>> ----------- nsp-security Confidential --------
>>>>>>>> 
>>>>>>>> I have launched a public webpage for trying to close
>>>>>>>>  the open resolvers down.  please provide me feedback
>>>>>>>> in private, but check out the site here:
>>>>>>>> 
>>>>>>>> openresolverproject.org
>>>>>>>> 
>>>>>>>> This is free to share, as we are looking to get some
>>>>>>>> of these IPs closed down.  We saw about 300G last
>>>>>>>> night, so doing your part to help here is
>>>>>>>> valuable...
>>>>>>>> 
>>>>>>>> Thanks,
>>>>>>>> 
>>>>>>>> - Jared
> 
> 
> 
> 
> _______________________________________________ nsp-security
> mailing list nsp-security at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security community. Confidentiality is essential for effective
> Internet security counter-measures. 
> _______________________________________________
> 

- -- 
Rob Lowe                      | Red Hat Asia-Pacific
Information Security Analyst  | http://www.redhat.com
Phone: +61 (0)7 35148244      | rlowe at redhat.com
5272 504B 6A97 415C 2EB2  E7B9 EDE4 0A83 CD9F E7A4

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRdd0LAAoJEO3kCoPNn+ekiRkP/3/lb9CRpGW2ztm/JK2iBlD4
oNchok+HTpfW9309XDPLtSh7gwNQJM17+6G1LJeuoaqaGk+Xm5oviM3KVu49Ty2I
xsQ17SVM7W+GltA8w75mtDm0Rk7TROE673F7K04/c8P74HTO9GURmRR3HUZPdJeB
R5THa88kTZaTfmLj9LN9p7RdeVeju9PrmkCY3PUAYRG4cWjpght8386kOTprWvCn
jxPJ3g7amapJ6FIFogtT59WA6EEK9H0rJ31Ft5BTX/4CEQ9oo6KTZKGC3uEZi3hm
NUydsAuM39Hyl+sWgJ7zlGCPthaLgOQDet9DGKFFWma1RzC2mntW9baJVrEz0pil
M1xuZ6OZWotCVZmD4hw4amdNlb9vx+FikBOt1CxlVEKDNqQHMIFktPWj1dFIQvCy
sM/ouyrohPqwFIGCOnSCOpJfohQU1sUg/1kMwbniT2vvrr3zAIh2xo0ZuqKqNUip
95mVw6f6sc4BOL3Os8F4LdRwXT/re2YHD7nY4ziMMiHL25N8sEnI45bTNJSD+G1Q
BhFOmkW4p6lzO37AajgIvEryvY3l2CFbt3SAS1A7jO/+M7wWPT/rmOs4WY1QVnNA
eYYABmXpS6J6xZ36uu0HuXw5o54ctivsaKZnfPvOzYBuLvqI/3pcFVrdLKe5Buwu
qxRM/f1wdjeIiEnfpZd2
=Cp6Y
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list