Errata overview
Errata ID 66
Date 2015-01-29
Source package univention-bind
Fixed in version 9.0.5-1.206.201501261058
The configuration of the UCS DNS name server BIND9 is prone to Open Resolver
attacks, which are used to launch Distributed Denial of Service (DDoS)
attacks against other hosts of the internet.
To prevent such abuse the default configuration will be changed to allow
'recursive queries' only from IP addresses of the private address ranges,
link-local address ranges, localhost and local networks.
If the name servers need to be queried from any other hosts outside those
network, they must be configured using the Univention Configuration Registry
variable 'dns/allow/query/cache'.
This change gets only applied for newly installed Domaincontrollers.
See <> for additional details.
Additional notes
UCS Bug number #37553