Re: Need help to know about ROOT DNS query
On Thu, Mar 17, 2011 at 07:50:41PM +0530, babu dheen wrote: ... Can anyone let me know whether company Internal DNS server should respond to ROOT DNS query. When i execute # dig . NS @my-company-name-server query I am getting complete response Let me know whether enabling ROOT DNS query is a security threat. For more informaton can you read and help us to securely configure our company internal Windows DNS server and its impact of disabling it. ... Babu Dheen, If you had a private internet with its own root name servers, and supposedly no IP access to the public Internet except via proxied firewalls, and you got this response, you would need to start looking for leaks. In your situation, where you are forwarding queries to the outside world, this response is appropriate and necessary. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help to know about ROOT DNS query
Hi, Thanks for the response. But i read a article in sans.org website that internal DNS server should not respond to ROOT NS query. Please find the below URL for more information. http://isc1.sans.org/dnstest.html http://isc.sans.edu/diary.html?storyid=5713 Kindly help me. --- On Thu, 17/3/11, Warren Kumari war...@kumari.net wrote: From: Warren Kumari war...@kumari.net Subject: Re: Need help to know about ROOT DNS query To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org bind-users@lists.isc.org Date: Thursday, 17 March, 2011, 8:50 PM Nah, that's fine (and normal). BIND comes configured with the roots so that it can start resolution. I guess I don't fully understand your concern here -- is it that you are worried that the root might see queries and so know your internal hostnames? W Warren Kumari --Please excuse typing, etc -- This was sent from a device with a tiny keyboard. On Mar 17, 2011, at 7:20 AM, babu dheen babudh...@yahoo.co.in wrote: Hi, We have two internal Windows DNS servers which answer all DNS query by forwarding it to gateway DNS server running in Redhat BIND. But i have a query regarding allowing ROOT DNS query on internal DNS server. Can anyone let me know whether company Internal DNS server should respond to ROOT DNS query. When i execute # dig . NS @my-company-name-server query I am getting complete response Let me know whether enabling ROOT DNS query is a security threat. For more informaton can you read and help us to securely configure our company internal Windows DNS server and its impact of disabling it. ; DiG 9.3.3rc2 . NS @10.0.0.1 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34899 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 49842 IN NS j.root-servers.net. . 49842 IN NS k.root-servers.net. . 49842 IN NS l.root-servers.net. . 49842 IN NS m.root-servers.net. . 49842 IN NS a.root-servers.net. . 49842 IN NS b.root-servers.net. . 49842 IN NS c.root-servers.net. . 49842 IN NS d.root-servers.net. . 49842 IN NS e.root-servers.net. . 49842 IN NS f.root-servers.net. . 49842 IN NS g.root-servers.net. . 49842 IN NS h.root-servers.net. . 49842 IN NS i.root-servers.net. ;; ADDITIONAL SECTION: j.root-servers.net. 49842 IN A 192.58.128.30 a.root-servers.net. 49842 IN A 198.41.0.4 b.root-servers.net. 49842 IN A 192.228.79.201 c.root-servers.net. 49842 IN A 192.33.4.12 d.root-servers.net. 49842 IN A 128.8.10.90 e.root-servers.net. 49842 IN A 192.203.230.10 f.root-servers.net. 49842 IN A 192.5.5.241 g.root-servers.net. 49842 IN A 192.112.36.4 h.root-servers.net. 49842 IN A 128.63.2.53 i.root-servers.net. 49842 IN A 192.36.148.17 ;; Query time: 34 msec ;; SERVER: 10.0.0.1#53(10.132.1.13) ;; WHEN: Thu Mar 17 17:16:18 2011 ;; MSG SIZE rcvd: 401 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help to know about ROOT DNS query
In message 8423.3972...@web137314.mail.in.yahoo.com, babu dheen writes: Hi, Thanks for the response. But i read a article in sans.org website that inte= rnal DNS server should not respond to ROOT NS query. Please find the below URL for more information. http://isc1.sans.org/dnstest.html http://isc.sans.edu/diary.html?storyid=5713 Kindly help me. The query is being used to determine if the nameserver is offing recursive services to machines it shouldn't. There isn't anything wrong the query itself or to returning the NS records if the machine should be getting recursive service. --- On Thu, 17/3/11, Warren Kumari war...@kumari.net wrote: From: Warren Kumari war...@kumari.net Subject: Re: Need help to know about ROOT DNS query To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org bind-users@lists.isc.org Date: Thursday, 17 March, 2011, 8:50 PM Nah, that's fine (and normal). BIND comes configured with the roots so that it can start resolution. I gue= ss I don't fully understand your concern here -- is it that you are worried= that the root might see queries and so know your internal hostnames? W Warren Kumari --Please excuse typing, etc -- This was sent from a device with a tiny = keyboard. On Mar 17, 2011, at 7:20 AM, babu dheen babudh...@yahoo.co.in wrote: Hi, We have two internal Windows DNS servers which answer all DNS query by f= orwarding it to gateway DNS server running in Redhat BIND. But i have a que= ry regarding allowing ROOT DNS query on internal DNS server. Can anyone let me know whether company Internal DNS server should respond t= o ROOT DNS query. When i execute # dig . NS @my-company-name-server query= I am getting complete response Let me know whether enabling ROOT DNS query is a security threat. For mo= re informaton can you read and help us to securely configure our company in= ternal Windows DNS server and its impact of disabling it. ; DiG 9.3.3rc2 . NS @10.0.0.1 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34899 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10 ;; QUESTION SECTION: ;.= IN NS ;; ANSWER SECTION: . 49842= IN NS j.root-servers.net. . 49842= IN NS k.root-servers.net. . 49842= IN NS l.root-servers.net. . 49842= IN NS m.root-servers.net. . 49842= IN NS a.root-servers.net. . 49842= IN NS b.root-servers.net. . 49842= IN NS c.root-servers.net. . 49842= IN NS d.root-servers.net. . 49842= IN NS e.root-servers.net. . 49842= IN NS f.root-servers.net. . 49842= IN NS g.root-servers.net. . 49842= IN NS h.root-servers.net. . 49842= IN NS i.root-servers.net. ;; ADDITIONAL SECTION: j.root-servers.net. 49842 IN A= 192.58.128.30 a.root-servers.net. 49842 IN A= 198.41.0.4 b.root-servers.net. 49842 IN A= 192.228.79.201 c.root-servers.net. 49842 IN A= 192.33.4.12 d.root-servers.net. 49842 IN A= 128.8.10.90 e.root-servers.net. 49842 IN A= 192.203.230.10 f.root-servers.net. 49842 IN A= 192.5.5.241 g.root-servers.net. 49842 IN A= 192.112.36.4 h.root-servers.net. 49842 IN A= 128.63.2.53 i.root-servers.net. 49842 IN A= 192.36.148.17 ;; Query time: 34 msec ;; SERVER: 10.0.0.1#53(10.132.1.13) ;; WHEN: Thu Mar 17 17:16:18 2011 ;; MSG SIZE rcvd: 401 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help to know about ROOT DNS query
Zitat von babu dheen babudh...@yahoo.co.in: Hi, We have two internal Windows DNS servers which answer all DNS query by forwarding it to gateway DNS server running in Redhat BIND. But i have a query regarding allowing ROOT DNS query on internal DNS server. I guess it does not mean your internal servers should deliver results for query . NS because this is the default and no security risk at all. I suspect that the demand is for not using the forwarders but do DNS queries from within the network at its own by asking the root servers and the whole chain like dig +trace? Regards Andreas ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help to know about ROOT DNS query
Nah, that's fine (and normal). BIND comes configured with the roots so that it can start resolution. I guess I don't fully understand your concern here -- is it that you are worried that the root might see queries and so know your internal hostnames? W Warren Kumari -- Please excuse typing, etc -- This was sent from a device with a tiny keyboard. On Mar 17, 2011, at 7:20 AM, babu dheen babudh...@yahoo.co.in wrote: Hi, We have two internal Windows DNS servers which answer all DNS query by forwarding it to gateway DNS server running in Redhat BIND. But i have a query regarding allowing ROOT DNS query on internal DNS server. Can anyone let me know whether company Internal DNS server should respond to ROOT DNS query. When i execute # dig . NS @my-company-name-server query I am getting complete response Let me know whether enabling ROOT DNS query is a security threat. For more informaton can you read and help us to securely configure our company internal Windows DNS server and its impact of disabling it. ; DiG 9.3.3rc2 . NS @10.0.0.1 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34899 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 49842 IN NS j.root-servers.net. . 49842 IN NS k.root-servers.net. . 49842 IN NS l.root-servers.net. . 49842 IN NS m.root-servers.net. . 49842 IN NS a.root-servers.net. . 49842 IN NS b.root-servers.net. . 49842 IN NS c.root-servers.net. . 49842 IN NS d.root-servers.net. . 49842 IN NS e.root-servers.net. . 49842 IN NS f.root-servers.net. . 49842 IN NS g.root-servers.net. . 49842 IN NS h.root-servers.net. . 49842 IN NS i.root-servers.net. ;; ADDITIONAL SECTION: j.root-servers.net. 49842 IN A 192.58.128.30 a.root-servers.net. 49842 IN A 198.41.0.4 b.root-servers.net. 49842 IN A 192.228.79.201 c.root-servers.net. 49842 IN A 192.33.4.12 d.root-servers.net. 49842 IN A 128.8.10.90 e.root-servers.net. 49842 IN A192.203.230.10 f.root-servers.net. 49842 IN A 192.5.5.241 g.root-servers.net. 49842 IN A 192.112.36.4 h.root-servers.net. 49842 IN A 128.63.2.53 i.root-servers.net. 49842 IN A 192.36.148.17 ;; Query time: 34 msec ;; SERVER: 10.0.0.1#53(10.132.1.13) ;; WHEN: Thu Mar 17 17:16:18 2011 ;; MSG SIZE rcvd: 401 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users