Contrail vDNS: DNS DDOS exposure
Bug #1423813 reported by
tom murray
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R2.20 |
Won't Fix
|
Medium
|
Nipa | |||
R3.0 |
Won't Fix
|
Medium
|
Nipa | |||
R3.0.2.x |
Won't Fix
|
Critical
|
Nipa | |||
R3.1 |
Won't Fix
|
Critical
|
Nipa | |||
Trunk |
Fix Committed
|
Critical
|
Nipa |
Bug Description
This is with contrail 2.10/26
My customer reported today that the Contrail vDNS was exploited to be used as part of a DDOS attack on a external 3rd party. I do not have full details yet, but i suppose that this would follow something like the recursion exploit described here: http://
We need to follow best practices for DNS configuration, for example following the recommendations described at https:/
Changed in juniperopenstack: | |
assignee: | nobody → Hari Prasad Killi (haripk) |
Changed in juniperopenstack: | |
importance: | Undecided → Medium |
tags: | added: blocker |
Changed in juniperopenstack: | |
milestone: | none → r3.0-fcs |
information type: | Proprietary → Private Security |
information type: | Private Security → Public |
tags: | added: releasenote |
tags: | removed: releasenote |
tags: | added: releasenote |
To post a comment you must log in.
Specifically, the /etc/contrail/ dns/named. conf on the vDNS nodes has recursion set to "any"...this must be restricted!!!
options { dns/"; keys-directory "/etc/contrail/ dns/"; zones-enable no; dns/named. pid"; query-cache { any; };
directory "/etc/contrail/
managed-
empty-
pid-file "/etc/contrail/
listen-on port 53 { any; };
allow-query { any; };
allow-recursion { any; };
allow-
};