-
Notifications
You must be signed in to change notification settings - Fork 907
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dnsdist + auth-ns: insecure default settings #8038
Comments
I'm not sure dnsdist is the right place to fix this. But switching the default for 'disable-axfr' to 'yes' is definitely a security improvement in the dns load-balancer era. |
dnsdist ships (at least from .deb and .rpm packages) with close to empty or completely empty config file. It takes surprisingly long time to figure out all the necessary configuration from the documentation. Would be great to have at least the most common configs already in place commented out. Security being the most important one obviously. It is indeed easily left unsecure when deployed locally to same server where authoritative (or even recursive) pdns lives because of the fact that access from localhost is usually considered safe. I'd suggest adding at least: newServer |
I don't fully agree with this, the default ACL of dnsdist restricts access to rfc1918 so it's not wide open. But I agree a configuration file with some commented out configuration would be nice to have, I'd be happy to merge a pull request doing that. |
Yeah i mean the communication between dnsdist and downstream pdns like described in the first post of this issue when AXFR is fully open if not explicitly blocked by dnsdist or pdns (which it isn't by default). Assuming dnsdist is accepting connections from everywhere as you'd expect if pdns behind it is authoritative. So yeah, not out of the box but easily achieved by accident. |
Actually, we have a start: https://github.com/PowerDNS/pdns/blob/master/pdns/dnsdistconf.lua This file is included in the dist tarball and installed in |
Short description
When running an authoritative name server, thery are often configured to allow XFR for 127.0.0.1. I.e. PDNS-Auth has as default:
When putting dnsdist in front of the auth name server, running on the same host, the communication between dnsdist and the auth name server uses 127.0.0.1. As dnsdist also forwards XFR requests, suddenly the safe default xfr settings become insecure.
I would propose a default setting for dnsdist to refuse XFR or have a default entry like this in the default config file:
The text was updated successfully, but these errors were encountered: