By default, when we deploy FreeIPA as a DNS server, it allows recursive queries. This is a security issue, since it allows to use the server for a DNS Amplification Attack[1].
In order to prevent that, the recursion should be limited to only localnets + localhost[2].
[1] https://www.us-cert.gov/ncas/alerts/TA13-088A [2] https://kb.isc.org/docs/aa-00269
It does the resolution
It should block resolution from untrusted networks
Related BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1754530
In short: - we would like to add 'ipa-ext.conf' include file for named. This file will contain only comments in the default installation but will be included from named.conf - we'll remove default recursion statement from the named.conf. This means on bind9 since 9.4.1-P1 we would default to allow recursion only on localhost and localnets. - anything else can be added by admins to ipa-ext.conf which will not be overridden on upgrades - the file 'ipa-ext.conf' will need to be backed up and restored properly, it should have correct rights, SELinux policy, etc
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1754530
master:
ipa-4-8:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.