subject:"Need help to know about ROOT DNS query"

Re: Need help to know about ROOT DNS query

2011-03-26 Thread Joseph S D Yao

On Thu, Mar 17, 2011 at 07:50:41PM +0530, babu dheen wrote:
...
> Can anyone let me know whether company Internal DNS server should respond to 
> ROOT DNS query. When i execute # dig . NS @my-company-name-server query  I am 
> getting complete response
>  
>  Let me know whether enabling ROOT DNS query is a security threat. For more 
> informaton can you read and help us to securely configure our company 
> internal Windows DNS server and its impact of disabling it.
>  
...

Babu Dheen,

If you had a private internet with its own "root" name servers, and
supposedly no IP access to the public Internet except via proxied
firewalls, and you got this response, you would need to start looking
for leaks.

In your situation, where you are forwarding queries to the outside
world, this response is appropriate and necessary.

--
/*\
**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help to know about ROOT DNS query

2011-03-18 Thread Mark Andrews


In message <8423.3972...@web137314.mail.in.yahoo.com>, babu dheen writes:
> Hi,
>  
> Thanks for the response. But i read a article in sans.org website that inte=
> rnal DNS server should not respond to ROOT NS query.
>  
>  Please find the below URL for more information.
>  
> http://isc1.sans.org/dnstest.html
> http://isc.sans.edu/diary.html?storyid=5713
>  
>  Kindly help me.

The query is being used to determine if the nameserver is offing
recursive services to machines it shouldn't.  There isn't anything
wrong the query itself or to returning the NS records if the
machine should be getting recursive service.

> --- On Thu, 17/3/11, Warren Kumari  wrote:
> 
> 
> From: Warren Kumari 
> Subject: Re: Need help to know about ROOT DNS query
> To: "babu dheen" 
> Cc: "bind-users@lists.isc.org" 
> Date: Thursday, 17 March, 2011, 8:50 PM
> 
> 
> 
> Nah, that's fine (and normal).
> 
> 
> BIND comes configured with the roots so that it can start resolution. I gue=
> ss I don't fully understand your concern here -- is it that you are worried=
>  that the root might see queries and so know your internal hostnames?
> 
> 
> W
> 
> 
> Warren Kumari
> --Please excuse typing, etc -- This was sent from a device with a tiny =
> keyboard.
> 
> On Mar 17, 2011, at 7:20 AM, babu dheen  wrote:
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Hi,
>  
>  We have two internal Windows DNS servers which answer all DNS query by f=
> orwarding it to gateway DNS server running in Redhat BIND. But i have a que=
> ry regarding allowing ROOT DNS query on internal DNS server.
>  
> Can anyone let me know whether company Internal DNS server should respond t=
> o ROOT DNS query. When i execute # dig . NS @my-company-name-server query=
>   I am getting complete response
>  
>  Let me know whether enabling ROOT DNS query is a security threat. For mo=
> re informaton can you read and help us to securely configure our company in=
> ternal Windows DNS server and its impact of disabling it.
>  
>  
> ; <<>> DiG 9.3.3rc2 <<>> . NS @10.0.0.1
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34899
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10
> ;; QUESTION SECTION:
> ;.=
>   IN  NS
> ;; ANSWER SECTION:
> .   49842=
>IN  NS  j.root-servers.net.
> .   49842=
>IN  NS  k.root-servers.net.
> .   49842=
>IN  NS  l.root-servers.net.
> .   49842=
>IN  NS  m.root-servers.net.
> .   49842=
>IN  NS  a.root-servers.net.
> .   49842=
>IN  NS  b.root-servers.net.
> .   49842=
>IN  NS  c.root-servers.net.
> .   49842=
>IN  NS  d.root-servers.net.
> .   49842=
>IN  NS  e.root-servers.net.
> .   49842=
>IN  NS  f.root-servers.net.
> .   49842=
>IN  NS  g.root-servers.net.
> .   49842=
>IN  NS  h.root-servers.net.
> .   49842=
>IN  NS  i.root-servers.net.
> ;; ADDITIONAL SECTION:
> j.root-servers.net. 49842   IN  A=
>192.58.128.30
> a.root-servers.net. 49842   IN  A=
>198.41.0.4
> b.root-servers.net. 49842   IN  A=
>192.228.79.201
> c.root-servers.net. 49842   IN  A=
>192.33.4.12
> d.root-servers.net. 49842   IN  A=
>128.8.10.90
> e.root-servers.net. 49842   IN  A=
>192.203.230.10
> f.root-servers.net. 49842   IN  A=
>192.5.5.241
> g.root-servers.net. 49842   IN  A=
>192.112.36.4
> h.root-servers.net. 49842   IN  A=
>128.63.2.53
> i.root-servers.net. 49842   IN  A=
>192.36.148.17
> ;; Query time: 34 msec
> ;; SERVER: 10.0.0.1#53(10.132.1.13)
> ;; WHEN: Thu Mar 17 17:16:18 2011
> ;; MSG SIZE  rcvd: 401
> 
> 
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users  
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help to know about ROOT DNS query

2011-03-18 Thread babu dheen

Hi,
 
Thanks for the response. But i read a article in sans.org website that internal 
DNS server should not respond to ROOT NS query.
 
 Please find the below URL for more information.
 
http://isc1.sans.org/dnstest.html
http://isc.sans.edu/diary.html?storyid=5713
 
 Kindly help me.



--- On Thu, 17/3/11, Warren Kumari  wrote:


From: Warren Kumari 
Subject: Re: Need help to know about ROOT DNS query
To: "babu dheen" 
Cc: "bind-users@lists.isc.org" 
Date: Thursday, 17 March, 2011, 8:50 PM



Nah, that's fine (and normal).


BIND comes configured with the roots so that it can start resolution. I guess I 
don't fully understand your concern here -- is it that you are worried that the 
root might see queries and so know your internal hostnames?


W


Warren Kumari
--Please excuse typing, etc -- This was sent from a device with a tiny 
keyboard.

On Mar 17, 2011, at 7:20 AM, babu dheen  wrote:









Hi,
 
 We have two internal Windows DNS servers which answer all DNS query by 
forwarding it to gateway DNS server running in Redhat BIND. But i have a query 
regarding allowing ROOT DNS query on internal DNS server.
 
Can anyone let me know whether company Internal DNS server should respond to 
ROOT DNS query. When i execute # dig . NS @my-company-name-server query  I am 
getting complete response
 
 Let me know whether enabling ROOT DNS query is a security threat. For more 
informaton can you read and help us to securely configure our company internal 
Windows DNS server and its impact of disabling it.
 
 
; <<>> DiG 9.3.3rc2 <<>> . NS @10.0.0.1
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34899
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10
;; QUESTION SECTION:
;.  IN  NS
;; ANSWER SECTION:
.   49842   IN  NS  j.root-servers.net.
.   49842   IN  NS  k.root-servers.net.
.   49842   IN  NS  l.root-servers.net.
.   49842   IN  NS  m.root-servers.net.
.   49842   IN  NS  a.root-servers.net.
.   49842   IN  NS  b.root-servers.net.
.   49842   IN  NS  c.root-servers.net.
.   49842   IN  NS  d.root-servers.net.
.   49842   IN  NS  e.root-servers.net.
.   49842   IN  NS  f.root-servers.net.
.   49842   IN  NS  g.root-servers.net.
.   49842   IN  NS  h.root-servers.net.
.   49842   IN  NS  i.root-servers.net.
;; ADDITIONAL SECTION:
j.root-servers.net. 49842   IN  A   192.58.128.30
a.root-servers.net. 49842   IN  A   198.41.0.4
b.root-servers.net. 49842   IN  A   192.228.79.201
c.root-servers.net. 49842   IN  A   192.33.4.12
d.root-servers.net. 49842   IN  A   128.8.10.90
e.root-servers.net. 49842   IN  A   192.203.230.10
f.root-servers.net. 49842   IN  A   192.5.5.241
g.root-servers.net. 49842   IN  A   192.112.36.4
h.root-servers.net. 49842   IN  A   128.63.2.53
i.root-servers.net. 49842   IN  A   192.36.148.17
;; Query time: 34 msec
;; SERVER: 10.0.0.1#53(10.132.1.13)
;; WHEN: Thu Mar 17 17:16:18 2011
;; MSG SIZE  rcvd: 401



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help to know about ROOT DNS query

2011-03-17 Thread Warren Kumari

Nah, that's fine (and normal).

BIND comes configured with the roots so that it can start resolution. I guess I 
don't fully understand your concern here -- is it that you are worried that the 
root might see queries and so know your internal hostnames?

W

Warren Kumari
--
Please excuse typing, etc -- This was sent from a device with a tiny keyboard.

On Mar 17, 2011, at 7:20 AM, babu dheen  wrote:

> Hi,
>  
>  We have two internal Windows DNS servers which answer all DNS query by 
> forwarding it to gateway DNS server running in Redhat BIND. But i have a 
> query regarding allowing ROOT DNS query on internal DNS server.
>  
> Can anyone let me know whether company Internal DNS server should respond to 
> ROOT DNS query. When i execute # dig . NS @my-company-name-server query  I am 
> getting complete response
>  
>  Let me know whether enabling ROOT DNS query is a security threat. For more 
> informaton can you read and help us to securely configure our company 
> internal Windows DNS server and its impact of disabling it.
>  
>  
> ; <<>> DiG 9.3.3rc2 <<>> . NS @10.0.0.1
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34899
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10
> ;; QUESTION SECTION:
> ;.  IN  NS
> ;; ANSWER SECTION:
> .   49842   IN  NS  j.root-servers.net.
> .   49842   IN  NS  k.root-servers.net.
> .   49842   IN  NS  l.root-servers.net.
> .   49842   IN  NS  m.root-servers.net.
> .   49842   IN  NS  a.root-servers.net.
> .   49842   IN  NS  b.root-servers.net.
> .   49842   IN  NS  c.root-servers.net.
> .   49842   IN  NS  d.root-servers.net.
> .   49842   IN  NS  e.root-servers.net.
> .   49842   IN  NS  f.root-servers.net.
> .   49842   IN  NS  g.root-servers.net.
> .   49842   IN  NS  h.root-servers.net.
> .   49842   IN  NS  i.root-servers.net.
> ;; ADDITIONAL SECTION:
> j.root-servers.net. 49842   IN  A   192.58.128.30
> a.root-servers.net. 49842   IN  A   198.41.0.4
> b.root-servers.net. 49842   IN  A   192.228.79.201
> c.root-servers.net. 49842   IN  A   192.33.4.12
> d.root-servers.net. 49842   IN  A   128.8.10.90
> e.root-servers.net. 49842   IN  A192.203.230.10
> f.root-servers.net. 49842   IN  A   192.5.5.241
> g.root-servers.net. 49842   IN  A   192.112.36.4
> h.root-servers.net. 49842   IN  A   128.63.2.53
> i.root-servers.net. 49842   IN  A   192.36.148.17
> ;; Query time: 34 msec
> ;; SERVER: 10.0.0.1#53(10.132.1.13)
> ;; WHEN: Thu Mar 17 17:16:18 2011
> ;; MSG SIZE  rcvd: 401
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help to know about ROOT DNS query

2011-03-17 Thread lst_hoe02


Zitat von babu dheen :


Hi,
 
 We have two internal Windows DNS servers which answer all DNS query  
by forwarding it to gateway DNS server running in Redhat BIND. But i  
have a query regarding allowing ROOT DNS query on internal DNS server.


I guess it does not mean your internal servers should deliver results  
for query ". NS" because this is the default and no security risk at  
all. I suspect that the demand is for not using the forwarders but do  
DNS queries from within the network at its own by asking the root  
servers and the whole chain like dig +trace?


Regards

Andreas




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Need help to know about ROOT DNS query

2011-03-17 Thread babu dheen

Hi,
 
 We have two internal Windows DNS servers which answer all DNS query by 
forwarding it to gateway DNS server running in Redhat BIND. But i have a query 
regarding allowing ROOT DNS query on internal DNS server.
 
Can anyone let me know whether company Internal DNS server should respond to 
ROOT DNS query. When i execute # dig . NS @my-company-name-server query  I am 
getting complete response
 
 Let me know whether enabling ROOT DNS query is a security threat. For more 
informaton can you read and help us to securely configure our company internal 
Windows DNS server and its impact of disabling it.
 
 
; <<>> DiG 9.3.3rc2 <<>> . NS @10.0.0.1
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34899
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10
;; QUESTION SECTION:
;.  IN  NS
;; ANSWER SECTION:
.   49842   IN  NS  j.root-servers.net.
.   49842   IN  NS  k.root-servers.net.
.   49842   IN  NS  l.root-servers.net.
.   49842   IN  NS  m.root-servers.net.
.   49842   IN  NS  a.root-servers.net.
.   49842   IN  NS  b.root-servers.net.
.   49842   IN  NS  c.root-servers.net.
.   49842   IN  NS  d.root-servers.net.
.   49842   IN  NS  e.root-servers.net.
.   49842   IN  NS  f.root-servers.net.
.   49842   IN  NS  g.root-servers.net.
.   49842   IN  NS  h.root-servers.net.
.   49842   IN  NS  i.root-servers.net.
;; ADDITIONAL SECTION:
j.root-servers.net. 49842   IN  A   192.58.128.30
a.root-servers.net. 49842   IN  A   198.41.0.4
b.root-servers.net. 49842   IN  A   192.228.79.201
c.root-servers.net. 49842   IN  A   192.33.4.12
d.root-servers.net. 49842   IN  A   128.8.10.90
e.root-servers.net. 49842   IN  A   192.203.230.10
f.root-servers.net. 49842   IN  A   192.5.5.241
g.root-servers.net. 49842   IN  A   192.112.36.4
h.root-servers.net. 49842   IN  A   128.63.2.53
i.root-servers.net. 49842   IN  A   192.36.148.17
;; Query time: 34 msec
;; SERVER: 10.0.0.1#53(10.132.1.13)
;; WHEN: Thu Mar 17 17:16:18 2011
;; MSG SIZE  rcvd: 401


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help to know about ROOT DNS query

Re: Need help to know about ROOT DNS query

Re: Need help to know about ROOT DNS query

Re: Need help to know about ROOT DNS query

Re: Need help to know about ROOT DNS query

Need help to know about ROOT DNS query

6 matches

Site Navigation

Mail list logo

Footer information