D
D
dmb_19452021-06-02 11:57:17
linux
dmb_1945, 2021-06-02 11:57:17

Bind one of the zones glows as vulnerable, recursion is enabled, why?

Hello everyone
OS Centos 7 + Bind -9.11.4-26
There are about 10 zones on the server.
For some reason, one of the configured zones breaks through all the tests as vulnerable and is subject to recursion.
Although the other 9 zones are fine. The bind config is general and the parameters describing the recursion are specified. Recursion is disabled.
The zone is practically empty. Server ns and www are indicated. All.
Where can be trouble?

Server conf (addresses changed including forward srv, there is a slave and main is described in allowed):

acl "allowed" {
        192.168.100.1/32;
        192.168.101.1/32;
        22.22.22.22/32;
        23.23.23.23/32;
};

options {
        listen-on port 53 { 127.0.0.1; 192.168.100.1; };
        listen-on-v6 port 53 { none; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        version "DNS Server";

        allow-query     { allowed; };
        allow-query-cache { allowed; };
        allow-transfer  { localhost; allowed; };
        forwarders { 8.8.8.8; };

        recursion       no;
        additional-from-cache no;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

statistics-channels {
        inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
     };

zone "trabla.com" IN {
        type master;
        file "trabla.com.zone";
        notify yes;
        allow-transfer  { allowed; };
};


Zone config:

$TTL 86400
@   IN  SOA   @  hostmaster.trabla.com. (
        2021052801  ;Serial
        3600        ;Refresh
        600         ;Retry
        1209600     ;Expire
        3600        ;Minimum TTL
)
@       IN      NS      ns1.trabla.com.
@       IN      NS      ns2.trabla.com.
ns1     IN      A       22.22.22.22
ns2     IN      A       23.23.23.23
;
@       IN      A       24.24.24.24
www     IN      A       24.24.24.24
;


Test screen at https://openresolver.com

60b76426dd3e5329106261.png

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question