Bug#393029: bind9: filter out specific IP addresses which should never appear

Sat, 14 Oct 2006 10:41:53 -0700 

Package: bind9
Version: 1:9.3.2-P1-2
Severity: wishlist
Tags: patch

Hi,

This follows on from #393003, it adds another ACL (bogons) and denies
service to any of the IP addresses listed within.

This is a very minimal list of network ranges; they are all from
RFC3330.

Cheers,
Anand

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (650, 'testing'), (600, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-686
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)

Versions of packages bind9 depends on:
ii  adduser                     3.97         Add and remove users and groups
ii  libbind9-0                  1:9.3.2-P1-2 BIND9 Shared Library used by BIND
ii  libc6                       2.3.6.ds1-4  GNU C Library: Shared libraries
ii  libdns21                    1:9.3.2-P1-2 DNS Shared Library used by BIND
ii  libisc11                    1:9.3.2-P1-2 ISC Shared Library used by BIND
ii  libisccc0                   1:9.3.2-P1-2 Command Channel Library used by BI
ii  libisccfg1                  1:9.3.2-P1-2 Config File Handling Library used 
ii  liblwres9                   1:9.3.2-P1-2 Lightweight Resolver Library used 
ii  libssl0.9.8                 0.9.8c-3     SSL shared libraries
ii  lsb-base                    3.1-15       Linux Standard Base 3.1 init scrip
ii  netbase                     4.25         Basic TCP/IP networking system

bind9 recommends no packages.

-- no debconf information

--- named.conf.options.orig	2006-10-15 02:49:14.000000000 +1000
+++ named.conf.options	2006-10-15 02:50:04.000000000 +1000
@@ -20,5 +20,13 @@
 
 	auth-nxdomain no;    # conform to RFC1035
 	listen-on-v6 { any; };
+
+	blackhole {
+		// Deny anything from the bogon networks as
+		// detailed in the "bogon" ACL.
+		bogon;
+	};
+
+
 };
 

--- named.conf.acls.orig	2006-10-15 03:16:59.000000000 +1000
+++ named.conf.acls	2006-10-15 03:10:39.000000000 +1000
@@ -12,3 +12,20 @@
 	//192.168.0.0/16
 
 };
+
+acl "bogons" {
+	// Filter out the bogon networks.  These are networks
+	// listed by IANA as test, RFC1918, Multicast, experi-
+	// mental, etc.  If you see DNS queries or updates with
+	// a source address within these networks, this is likely
+	// of malicious origin.
+	0.0.0.0/8;
+	10.0.0.0/8;
+	169.254.0.0/16;
+	172.16.0.0/12;
+	192.0.2.0/24;
+	192.168.0.0/16;
+	198.18.0.0/15;
+	224.0.0.0/4;
+	255.255.255.255/32;
+};

Reply via email to