Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dnsdist + auth-ns: insecure default settings #8038

Closed
klaus3000 opened this issue Jul 8, 2019 · 5 comments · Fixed by #9238
Closed

dnsdist + auth-ns: insecure default settings #8038

klaus3000 opened this issue Jul 8, 2019 · 5 comments · Fixed by #9238

Comments

@klaus3000
Copy link

klaus3000 commented Jul 8, 2019

  • Program: pdns-auth + dnsdist
  • Issue type: request for comments

Short description

When running an authoritative name server, thery are often configured to allow XFR for 127.0.0.1. I.e. PDNS-Auth has as default:

disable-axfr=no
allow-axfr-ips=127.0.0.0/8,::1

When putting dnsdist in front of the auth name server, running on the same host, the communication between dnsdist and the auth name server uses 127.0.0.1. As dnsdist also forwards XFR requests, suddenly the safe default xfr settings become insecure.

I would propose a default setting for dnsdist to refuse XFR or have a default entry like this in the default config file:

--
-- Refuse incoming AXFR,IXFR,NOTIFY,UPDATE from unknown sources.
-- Add trusted sources (slaves, masters) explicitely in front of this rule
--
addAction(OrRule({OpcodeRule(DNSOpcode.Notify), OpcodeRule(DNSOpcode.Update), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED))

@mind04
Copy link
Contributor

mind04 commented Jul 8, 2019

I'm not sure dnsdist is the right place to fix this. But switching the default for 'disable-axfr' to 'yes' is definitely a security improvement in the dns load-balancer era.

@ronivay
Copy link

ronivay commented Apr 17, 2020

dnsdist ships (at least from .deb and .rpm packages) with close to empty or completely empty config file. It takes surprisingly long time to figure out all the necessary configuration from the documentation.

Would be great to have at least the most common configs already in place commented out. Security being the most important one obviously.

It is indeed easily left unsecure when deployed locally to same server where authoritative (or even recursive) pdns lives because of the fact that access from localhost is usually considered safe.

I'd suggest adding at least:

newServer
addLocal
setACL (addACL)
Block/restrict IXFR,AXFR,NOTIFY,UPDATE

@rgacogne
Copy link
Member

It is indeed easily left unsecure when deployed locally to same server where authoritative (or even recursive) pdns lives because of the fact that access from localhost is usually considered safe.

I don't fully agree with this, the default ACL of dnsdist restricts access to rfc1918 so it's not wide open.

But I agree a configuration file with some commented out configuration would be nice to have, I'd be happy to merge a pull request doing that.

@ronivay
Copy link

ronivay commented Apr 17, 2020

I don't fully agree with this, the default ACL of dnsdist restricts access to rfc1918 so it's not wide open.

Yeah i mean the communication between dnsdist and downstream pdns like described in the first post of this issue when AXFR is fully open if not explicitly blocked by dnsdist or pdns (which it isn't by default). Assuming dnsdist is accepting connections from everywhere as you'd expect if pdns behind it is authoritative. So yeah, not out of the box but easily achieved by accident.

@omoerbeek
Copy link
Member

omoerbeek commented Apr 17, 2020

Actually, we have a start:

https://github.com/PowerDNS/pdns/blob/master/pdns/dnsdistconf.lua

This file is included in the dist tarball and installed in /usr/local/share/examples/dnsdist/dnsdistconf.lua on OpenBSD. So it's more a question of updating/improving it including it in the packages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants