?

Log in

No account? Create an account

fanf

no DNS tunnelling here, please

« previous entry | next entry »
4th Oct 2005 | 15:44

There's a rather nasty way of using the DNS to tunnel from the outside past into a private network. If you publish an NS record whose target has a private address, and you then cause a nameserver at the private network's border to query that nameserver, it will send the query to the private network. This isn't particularly damaging because the target port is fixed to 53, but it invites abuse because it's a very cool hack and the tools to do it are becoming easier to use.

What I'd like to be able to do is to tell Bind never to send queries to RFC 3330 addresses. Bind has a "bogus server" feature that almost does the trick, but it can only block one IP address at a time and I want to block millions of them. However it also has a "blackhole" feature, which allows you to block whole CIDR address ranges, with the effect of the "bogus server" feature but also blocking queries from the relevant addresses. This latter is a slightly irritating side-effect if you want to accept queries from private addresses but not send queries to those addresses; however I only have one such IP address because my name servers only accept queries from localhost.

The solution I have come up with is:

    acl bogons {
        ! 127.0.0.1;
        0.0.0.0/8;
        10.0.0.0/8;
        127.0.0.0/8;
        169.254.0.0/16;
        172.16.0.0/12;
        192.0.2.0/24;
        192.168.0.0/16;
        198.18.0.0/15;
        224.0.0.0/3;
    };
    
    options {
        listen-on-v6 { none; };
        listen-on port 53 { 127.0.0.1; };
        query-source address * port 53;
    
        allow-query { 127.0.0.1; };
        allow-notify { none; };
        allow-transfer { none; };
        blackhole { bogons; };

        // some other options here
    };
    
    server 127.0.0.1 {
        bogus yes;
    };

| Leave a comment | Share

Comments {2}

filecoreinuse

from: filecoreinuse
date: 4th Oct 2005 17:34 (UTC)

Couldn't you move the solution a bit further down and do some ipf/iptables foo on the BIND server to just reject connection attempts to private IPs on port 53?

Reply | Thread

Tony Finch

from: fanf
date: 5th Oct 2005 09:24 (UTC)

That has the same problem as the blackhole option - it doesn't deal with hosts that you want to allow queries from but which must not be published in NS records. The bogus server facility still needs to be generalized to allow CIDR ranges, but at least in my situation there is a reasonably OK work-around.

Reply | Parent | Thread