[+] Description of problem:

• Bind 9.11 with default Named configuration responds to RFC 1918 requests

[+] Version-Release number of selected component (if applicable):

• bind-9.11.4-9.P2.el7.x86_64

[+] How reproducible:

• Always

[+] Steps to Reproduce:
1. Install IdM with default Named configuration
2. Send RFC 1918 requests to IdM server

[+] Actual results:

• Jan 10 09:43:31 serverhostname named-pkcs11[20650]: client @0x7******** 192.168.0.2#42094 (1.0.168.192.in-addr.arpa): RFC 1918 response from Internet for 1.0.168.192.in-addr.arpa

[+] Expected results:

• RFC 1918 requests are blocked

[+] Additional info:

• Upstream documentation states that Bind 9.9 and above have empty-zones-enable set to 'yes' by default. With a basic deployment of RHEL 7 minimal with IdM installed, this does not seem to be the case with named-pkcs11.
• https://www.zytrax.com/books/dns/ch7/queries.html#empty-zones-enable
• "By default empty-zones-enable is set to yes which means that reverse queries for IPv4 and IPv6 addresses covered by RFCs 1918, 4193, 5737 and 6598 (as well as IPv6 local address (locally assigned), IPv6 link local addresses, the IPv6 loopback address and the IPv6 unknown address) but which is not not covered by a locally defined zone clause will automatically return an NXDOMAIN response from the local name server."