Re: How to find out DNS Server version ?
Tibo said: > Leonardo Rodrigues a écrit : > > Tibo escreveu: > >> > >> I think I found it : fpdns -f NAMESERVER > >> > >> Is it always OK ? > > > >No, that's not always OK, because -f option of fpdns relies on the > > version.bind record, which i explained on my previous message that > > sometimes cant be queries and other times can fake some false version id. > > > > fpdns -fand the dig command i gave you queries exactly the same > > thing. > > > > none of those (which are in fact the sam thing) are 100% reliable for > > identifying remote dns server versions > > > > > Ok, I think if I tell my people to always let the version and the > solution with dig would be OK. You can always define a "view" for the chaos class and only let your workstation get the results from this version.bind query. Everyone else would be blocked from obtaining this information. Many "security" people believe that releasing the bind.version information is a security issue. They do a "version.bind" query and if they get ANY answer they fell that this is a problem. I don't agree with them, but I have given up fighting them on this issue. Most of the time these security people are outside consultants that management is paying and they have management's ear with any "findings". The "fpdns" tool trys to determine the type/version of a DNS server by sending the server special queries which help to define this information. Unfortunately, multiple versions of BIND can respond to these special queries and so only provide a range of version information. Also, I have seen firewalls which block some of the queries fpdns uses, such as TCP ones, which make version identification even more difficult and/or impossible. Another possibility is to ASK the administrators of the other data centers for this information. All they have to do is run "named -v" to get this information. If you can't get them to do this for you, how do you expect to get them to reconfigure your named.conf to allow version.bind queries? I know that having the BIND version available by querying is nice, but it is also possible to configure this information to report bogus information in a format that would appear to be legitimate. Why "trust" these version.bind queries in the first place? Use the simple solution of asking the administrators. A simple question deserves a simple solution. Bill Larson ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to find out DNS Server version ?
Tibo escreveu: I think I found it : fpdns -f NAMESERVER Is it always OK ? No, that's not always OK, because -f option of fpdns relies on the version.bind record, which i explained on my previous message that sometimes cant be queries and other times can fake some false version id. fpdns -fand the dig command i gave you queries exactly the same thing. none of those (which are in fact the sam thing) are 100% reliable for identifying remote dns server versions -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to find out DNS Server version ?
Leonardo Rodrigues a écrit : Tibo escreveu: I think I found it : fpdns -f NAMESERVER Is it always OK ? No, that's not always OK, because -f option of fpdns relies on the version.bind record, which i explained on my previous message that sometimes cant be queries and other times can fake some false version id. fpdns -fand the dig command i gave you queries exactly the same thing. none of those (which are in fact the sam thing) are 100% reliable for identifying remote dns server versions Ok, I think if I tell my people to always let the version and the solution with dig would be OK. Thanks a lot ! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to find out DNS Server version ?
Hello, You can ask them to run this: dig -t txt -c chaos VERSION.BIND @ or my be you are lucky and this web is usefull for you: http://www.howismydns.com/tools.php good luck. Joan Marc Riera Duocastella Barcelona Media - Centre d'Innovació Av. Diagonal, 177, planta 9 08018 - BARCELONA Telèfon +34 93 238 14 00 Fax +34 93 309 31 88 www.barcelonamedia.org -Mensaje original- De: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] En nombre de Tibo Enviado el: viernes, 13 de noviembre de 2009 15:21 Para: comp-protocols-dns-b...@isc.org Asunto: How to find out DNS Server version ? Hello ! I have a little problem : We have 4 little datacenters over the world. I would like to check if all DNS servers are up to date but only people responsible of a datacenter can access their servers for security reasons. I know some tools on the net can do that but it's not easy for me and I'd like to automatise all of that. I try with fingerprint (fpdns) but answer is always : "BIND 9.2.3rc1 -- 9.4.0a0." Do you have any solutions for me ? Thanks in advance, Thibaut ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Overload some records for intern use
On 11/13/2009 9:39 AM, Johan VAN RYSEGHEM wrote: I thought I tried this. I retried and guess what, it worked. Seems like my original setup was wrong. I must have misused the $ORIGIN keyword. Nonetheless, I think i'm going to keep pdnsd, as it's easier to setup for the my use. And just for completeness sake... BIND's split views can be used to accomplish things in a similar manner, but is more for the times where your BIND server is the authoritative server for your domain. It allows you to provide different results to different clients and to only publish part of your zone to the internet. http://www.knowplace.org/pages/howtos/split_view_with_bind_9_howto.php You can also use the "create a domain" trick in non-BIND servers to overload A records for internal clients. I've done it at a Windows-only site using Microsoft's DNS server software. It's a useful trick to know since it isn't implementation specific. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to find out DNS Server version ?
you can always try: dig @dns.server.to.query version.bind chaos txt which would return something like: ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "djbdns 1.05" (sorry for the djbdns i found no bind that allows that for examplifying it :) ) the big problem here is that DNS servers, quite usually, do not accept this queries or, in some other quite usual configuration, change the text for some generic string, which can be easily done in BINDs for example: ;; ANSWER SECTION: version.bind. 0 CH TXT "version goes here" there's absolutely no guaranteed way of getting the correct version running on DNSs server you have no admin access. The only guaranteed to work 100% of the simes still seems to be the 'named -v' on the machine's console. Tibo escreveu: Hello ! I have a little problem : We have 4 little datacenters over the world. I would like to check if all DNS servers are up to date but only people responsible of a datacenter can access their servers for security reasons. I know some tools on the net can do that but it's not easy for me and I'd like to automatise all of that. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to find out DNS Server version ?
Tibo a écrit : Hello ! I have a little problem : We have 4 little datacenters over the world. I would like to check if all DNS servers are up to date but only people responsible of a datacenter can access their servers for security reasons. I know some tools on the net can do that but it's not easy for me and I'd like to automatise all of that. I try with fingerprint (fpdns) but answer is always : "BIND 9.2.3rc1 -- 9.4.0a0." Do you have any solutions for me ? Thanks in advance, Thibaut I think I found it : fpdns -f NAMESERVER Is it always OK ? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Overload some records for intern use
Thomas Harold a écrit : On 11/13/2009 6:44 AM, Jonathan Petersson wrote: Someone correct me if I'm wrong but using BIND you must have the full zone, partial forwarding/proxying isn't built in so you would need to download the zone and replace the data you need to change. If all you want to do is change an A record (served from an external zone) to a different internal IP address, then it's doable with BIND. For example, if I want to redirect svn.example.org to the internal IP address rather then the public IP address, I add the following zone file (called "svn.example.org" in my setup): $ORIGIN . $TTL 600; 10 minutes svn.example.comIN SOA fw.internal.example.org. dns.example.com. ( 2007052665 ; serial 3600 ; refresh (1 hour) 900; retry (15 minutes) 7200 ; expire (2 hours) 3600 ; minimum (1 hour) ) NS fw.internal.example.org. $ORIGIN svn.example.com. A 192.168.0.9 So for clients inside the LAN who talk to this DNS server and ask for "svn.example.com" will get the 192.168.0.9 address. Clients outside the LAN or who don't use the DNS server will get the public IP address from the public DNS records. I don't recall offhand if there's more to it, it's been a year or more since I setup that record. Basically you're adding a local private zone that is named the same as the DNS record that you're overloading and telling BIND to pretend that it is authoritative for that record. I thought I tried this. I retried and guess what, it worked. Seems like my original setup was wrong. I must have misused the $ORIGIN keyword. Nonetheless, I think i'm going to keep pdnsd, as it's easier to setup for the my use. Thanks a lot ! Johan -- Johan VAN RYSEGHEM - Développeur RIAS Websiteburo | Agence Media Interactive | Bordeaux/Paris johan.van.ryseg...@websiteburo.com : 06.77.88.51.60 - Fixe : 05.47.74.74.20 http://www.websiteburo.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to find out DNS Server version ?
Hello ! I have a little problem : We have 4 little datacenters over the world. I would like to check if all DNS servers are up to date but only people responsible of a datacenter can access their servers for security reasons. I know some tools on the net can do that but it's not easy for me and I'd like to automatise all of that. I try with fingerprint (fpdns) but answer is always : "BIND 9.2.3rc1 -- 9.4.0a0." Do you have any solutions for me ? Thanks in advance, Thibaut ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Overload some records for intern use
On 11/13/2009 6:44 AM, Jonathan Petersson wrote: Someone correct me if I'm wrong but using BIND you must have the full zone, partial forwarding/proxying isn't built in so you would need to download the zone and replace the data you need to change. If all you want to do is change an A record (served from an external zone) to a different internal IP address, then it's doable with BIND. For example, if I want to redirect svn.example.org to the internal IP address rather then the public IP address, I add the following zone file (called "svn.example.org" in my setup): $ORIGIN . $TTL 600; 10 minutes svn.example.comIN SOA fw.internal.example.org. dns.example.com. ( 2007052665 ; serial 3600 ; refresh (1 hour) 900; retry (15 minutes) 7200 ; expire (2 hours) 3600 ; minimum (1 hour) ) NS fw.internal.example.org. $ORIGIN svn.example.com. A 192.168.0.9 So for clients inside the LAN who talk to this DNS server and ask for "svn.example.com" will get the 192.168.0.9 address. Clients outside the LAN or who don't use the DNS server will get the public IP address from the public DNS records. I don't recall offhand if there's more to it, it's been a year or more since I setup that record. Basically you're adding a local private zone that is named the same as the DNS record that you're overloading and telling BIND to pretend that it is authoritative for that record. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Overload some records for intern use
Ok, i solved my problem using pdnsd (http://www.phys.uu.nl/~rombouts/pdnsd/doc.html). Seems it fits my needs better. Tanks for your help Johan Jonathan Petersson a écrit : Someone correct me if I'm wrong but using BIND you must have the full zone, partial forwarding/proxying isn't built in so you would need to download the zone and replace the data you need to change. /Jonathan On Fri, Nov 13, 2009 at 11:22 AM, Johan VAN RYSEGHEM wrote: Hello all, my problem is quite simple, but I've tried a lot of different setups, none worked :( My company's DNS are hosted by an third-operator. In the zone "websiteburo.com", there are several A records, pointing on our different servers. My problem is: a few of these servers are hosted locally in our offices, so i'd like to setup a DNS server which would: 1/ return local addresses for a subset of records 2/ forward the queries to the external server if it cannot answer Of course i could probably write a batch which retrieves the zone from the external server and rewrites some records with local addresses, but I think there could be a more elegant way to do this. Help would be welcome Thanx in advance -- Johan VAN RYSEGHEM - Développeur RIAS Websiteburo | Agence Media Interactive | Bordeaux/Paris johan.van.ryseg...@websiteburo.com : 06.77.88.51.60 - Fixe : 05.47.74.74.20 http://www.websiteburo.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Johan VAN RYSEGHEM - Développeur RIAS Websiteburo | Agence Media Interactive | Bordeaux/Paris johan.van.ryseg...@websiteburo.com : 06.77.88.51.60 - Fixe : 05.47.74.74.20 http://www.websiteburo.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Overload some records for intern use
Someone correct me if I'm wrong but using BIND you must have the full zone, partial forwarding/proxying isn't built in so you would need to download the zone and replace the data you need to change. /Jonathan On Fri, Nov 13, 2009 at 11:22 AM, Johan VAN RYSEGHEM wrote: > Hello all, > > my problem is quite simple, but I've tried a lot of different setups, none > worked :( > > My company's DNS are hosted by an third-operator. In the zone > "websiteburo.com", there are several A records, pointing on our different > servers. > My problem is: a few of these servers are hosted locally in our offices, so > i'd like to setup a DNS server which would: > 1/ return local addresses for a subset of records > 2/ forward the queries to the external server if it cannot answer > > Of course i could probably write a batch which retrieves the zone from the > external server and rewrites some records with local addresses, but I think > there could be a more elegant way to do this. > > Help would be welcome > > Thanx in advance > > -- > Johan VAN RYSEGHEM - Développeur RIAS > Websiteburo | Agence Media Interactive | Bordeaux/Paris > johan.van.ryseg...@websiteburo.com : 06.77.88.51.60 - Fixe : 05.47.74.74.20 > http://www.websiteburo.com > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Overload some records for intern use
Hello all, my problem is quite simple, but I've tried a lot of different setups, none worked :( My company's DNS are hosted by an third-operator. In the zone "websiteburo.com", there are several A records, pointing on our different servers. My problem is: a few of these servers are hosted locally in our offices, so i'd like to setup a DNS server which would: 1/ return local addresses for a subset of records 2/ forward the queries to the external server if it cannot answer Of course i could probably write a batch which retrieves the zone from the external server and rewrites some records with local addresses, but I think there could be a more elegant way to do this. Help would be welcome Thanx in advance -- Johan VAN RYSEGHEM - Développeur RIAS Websiteburo | Agence Media Interactive | Bordeaux/Paris johan.van.ryseg...@websiteburo.com : 06.77.88.51.60 - Fixe : 05.47.74.74.20 http://www.websiteburo.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users