Severity Medium
Remote Yes
Type Access restriction bypass
BIND <= 9.13.0 can improperly permit recursive query service to unauthorized clients. When "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query", it is possible for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients.
Group Package Affected Fixed Severity Status Ticket
AVG-718 bind 9.13.0-2 Medium Vulnerable
A number of configuration workarounds are available which completely avoid the problem.  

If an operator has not chosen to specify some other permission, explicitly specifying "allow-query {localnets; localhost;};" in named.conf will provide behavior equivalent to the intended default.

If the default setting is not appropriate (because the operator wants a different behavior) then depending on which clients are intended to be able to receive service for recursive queries, explicitly setting a match list value for any of:


will prevent the "allow-recursion" control from improperly inheriting a setting from the allow-query default.  If a value is set for any of those values the behavior of allow-recursion will be set directly or inherited from one of the other values as described in the BIND Adminstrator Reference Manual section 6.2

Servers which are not intended to perform recursion at all may also effectively prevent this condition by setting "recursion no;" in named.conf