This patch is part of a workaround to be used in conjunction with the AusCERT Alert AL-1999.004 "Denial of Service (DoS) attacks using the Domain Name System (DNS)" available from the following URL: ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos This patch is not supported. Index: src/bin/named/ns_req.c =================================================================== RCS file: /proj/cvs/isc/bind/src/bin/named/ns_req.c,v retrieving revision 8.90 diff -c -r8.90 ns_req.c *** ns_req.c 1999/06/20 23:44:56 8.90 --- ns_req.c 1999/08/02 02:25:59 *************** *** 854,862 **** * what we have with a referral. */ if ((zp->z_query_acl == NULL) && ! (!hp->rd || NS_OPTION_P(OPTION_NORECURSE)) && (ntohs(hp->ancount) != 0)) { goto fetchns; } ns_notice(ns_log_security, "unapproved query from %s for \"%s\"", --- 854,895 ---- * what we have with a referral. */ if ((zp->z_query_acl == NULL) && ! (!hp->rd || NS_OPTION_P(OPTION_NORECURSE) || ! recursion_blocked_by_acl) && (ntohs(hp->ancount) != 0)) { goto fetchns; + } + + /* + * See if we would have made a referral from + * an enclosing zone if we are actually in the + * cache. + */ + if (zp->z_type == z_cache && np != NULL) { + struct namebuf *access_np; + + zone = DB_Z_CACHE; + for (access_np = np; access_np != NULL; + access_np = np_parent(access_np)) { + dp = access_np->n_data; + while (dp && (dp->d_class != class || + dp->d_zone == DB_Z_CACHE)) + dp = dp->d_next; + if (dp != NULL) { + zone = dp->d_zone; + np = access_np; + break; + } + } + zp = &zones[zone]; + if (zp->z_type != z_cache && + zp->z_query_acl != NULL && + ip_addr_or_key_allowed(zp->z_query_acl, + from.sin_addr, in_key) && + (!hp->rd || recursion_blocked_by_acl || + NS_OPTION_P(OPTION_NORECURSE))) { + goto fetchns; + } } ns_notice(ns_log_security, "unapproved query from %s for \"%s\"",