For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Caio_178191's avatar
Caio_178191
Icon for Nimbostratus rankNimbostratus
Aug 20, 2015

Problem solved.

 

You must put an ACL in named configuration.

 

Here we have a default Named Configuration in GTM with recursive deactivated.

 

Code
restrict rndc access to local machines
use the key in the default place: /config/rndc.key

controls {
    inet 127.0.0.1 port 953 allow {
        127.0.0.1;
    };
};

logging {
    channel logfile {
        syslog daemon;
        severity error;
        print-category yes;
        print-severity yes;
        print-time yes;
    };
    category default {
        logfile;
    };
    category config {
        logfile;
    };
    category notify {
        logfile;
    };
};

options {
    listen-on port 53 {
        127.0.0.1;
        "zrd-acl-000-000";
    };
    listen-on-v6 port 53 {
        ::1;
    };
    recursion no;
    directory "/config/namedb";
    allow-transfer {
        localhost;
    };
    check-names master warn;

    check-integrity yes;
    max-journal-size 1M;
    version "none";
};

acl "zrd-acl-000-000" {
 127.10.0.0;
};

Code

To activate the recursion, we should change the "no" to "yes" in the line "recursion no". But besides that, we need to add an acl. So, our code will be:

 

Code
restrict rndc access to local machines
use the key in the default place: /config/rndc.key

controls {
    inet 127.0.0.1 port 953 allow {
        127.0.0.1;
    };
};

logging {
    channel logfile {
        syslog daemon;
        severity error;
        print-category yes;
        print-severity yes;
        print-time yes;
    };
    category default {
        logfile;
    };
    category config {
        logfile;
    };
    category notify {
        logfile;
    };
};

options {
    listen-on port 53 {
        127.0.0.1;
        "zrd-acl-000-000";
    };
    listen-on-v6 port 53 {
        ::1;
    };
    recursion yes;
    directory "/config/namedb";
    allow-transfer {
        localhost;
    };
    check-names master warn;

    check-integrity yes;
    max-journal-size 1M;
    version "none";
    allow-recursion {
      internal;
    };
};

acl "zrd-acl-000-000" {
 127.10.0.0;
};
acl "internal" {
  0.0.0.0/0;
};

Code

After this configuration, the system starts to accept recursive querys.