When installing freeIPA under CentOS 7, it configures /etc/named.conf with:
// Any host is permitted to issue recursive queries allow-recursion { any; };
(introduced in #1335)
This means that by default, an IPA server on the Internet is a vector for DNS amplification attacks. See http://openresolverproject.org/ for more information on why this is a bad thing.
In the spirit of "secure by default", I propose this be changed to something like:
allow-recursion { 10.0.0.0/8; 127.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; ::1; fc::/7; };
This covers a large proportion of deployments where the IPA server is installed on private address space. Users with their own public IPv4 or IPv6 address space would have to add it.
Thanks. We will think about a way to make it usable and secure at the same time.
Historical data: This was already discussed in https://bugzilla.redhat.com/show_bug.cgi?id=1319404#c2
We cannot change the default right now because the installer does not have ability to retain hand-made changes in named.conf. Restricted policy would always over-write user-specified policy on ipa-dns-install even if the server is in different subnet.
Mainly for this reason, we need to re-visit this when the installer has the capability to do modifications to named.conf instead of overwritting it on each run.
Metadata Update from @candlerb: - Issue assigned to mbasti - Issue set to the milestone: Ticket Backlog
Metadata Update from @mbasti: - Assignee reset - Issue close_status updated to: None
I think this was fixed by https://pagure.io/freeipa/issue/8079
@yrro thanks for spotting the duplicate, good catch. Closing as fixed.
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.