2012-10-09

Private Networks and Bind 9.9.0

As of BIND 9.9.0 bind is now compliant with RFC6303RFC6303 addresses the issue that everywhere on the Internet private networks are leaking [People - you need egress firewalls..., egress firewalls, not just ingress].  Name servers receive many queries for addresses that are 'private' [see RFC1918]. 

In compliance to RFC6303 bind 9.9.0 will now create default empty zones for the RFC1918 networks - all responses for queries to these domains will be an authoritative NXDOMAIN.  The up-shot is that if you operate an RFC1918 private network, and you update bind, your DNS will stop working as the default empty zones will overlap your configured zones.  The creation of the empty zones is logged when bind starts, you can see them get defined, but it could still be mystifying if you aren't aware of this change. 

If this change impacts your network the configuration directives you are interested in are: empty-zones-enable and disable-empty-zone. The first disables all RFC6303 empty zones - which is the sledge hammer approach.  The second allows the administration to disable specific empty zones.  The second option is preferred, just restore the private networks that you need, but the first will restore your DNS in the short-term. ISC has a good article about toggling off the RFC6303 empty zones for those who operate private networks.

As always: NAT is evil.

No comments:

Post a Comment