subject:"Re\: Need help to know about ROOT DNS query"

Re: Need help to know about ROOT DNS query

2011-03-26 Thread Joseph S D Yao

On Thu, Mar 17, 2011 at 07:50:41PM +0530, babu dheen wrote:
...
 Can anyone let me know whether company Internal DNS server should respond to 
 ROOT DNS query. When i execute # dig . NS @my-company-name-server query  I am 
 getting complete response
  
  Let me know whether enabling ROOT DNS query is a security threat. For more 
 informaton can you read and help us to securely configure our company 
 internal Windows DNS server and its impact of disabling it.
  
...


Babu Dheen,

If you had a private internet with its own root name servers, and
supposedly no IP access to the public Internet except via proxied
firewalls, and you got this response, you would need to start looking
for leaks.

In your situation, where you are forwarding queries to the outside
world, this response is appropriate and necessary.


--
/*\
**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help to know about ROOT DNS query

2011-03-18 Thread babu dheen

Hi,
 
Thanks for the response. But i read a article in sans.org website that internal 
DNS server should not respond to ROOT NS query.
 
 Please find the below URL for more information.
 
http://isc1.sans.org/dnstest.html
http://isc.sans.edu/diary.html?storyid=5713
 
 Kindly help me.



--- On Thu, 17/3/11, Warren Kumari war...@kumari.net wrote:


From: Warren Kumari war...@kumari.net
Subject: Re: Need help to know about ROOT DNS query
To: babu dheen babudh...@yahoo.co.in
Cc: bind-users@lists.isc.org bind-users@lists.isc.org
Date: Thursday, 17 March, 2011, 8:50 PM



Nah, that's fine (and normal).


BIND comes configured with the roots so that it can start resolution. I guess I 
don't fully understand your concern here -- is it that you are worried that the 
root might see queries and so know your internal hostnames?


W


Warren Kumari
--Please excuse typing, etc -- This was sent from a device with a tiny 
keyboard.

On Mar 17, 2011, at 7:20 AM, babu dheen babudh...@yahoo.co.in wrote:









Hi,
 
 We have two internal Windows DNS servers which answer all DNS query by 
forwarding it to gateway DNS server running in Redhat BIND. But i have a query 
regarding allowing ROOT DNS query on internal DNS server.
 
Can anyone let me know whether company Internal DNS server should respond to 
ROOT DNS query. When i execute # dig . NS @my-company-name-server query  I am 
getting complete response
 
 Let me know whether enabling ROOT DNS query is a security threat. For more 
informaton can you read and help us to securely configure our company internal 
Windows DNS server and its impact of disabling it.
 
 
;  DiG 9.3.3rc2  . NS @10.0.0.1
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 34899
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10
;; QUESTION SECTION:
;.  IN  NS
;; ANSWER SECTION:
.   49842   IN  NS  j.root-servers.net.
.   49842   IN  NS  k.root-servers.net.
.   49842   IN  NS  l.root-servers.net.
.   49842   IN  NS  m.root-servers.net.
.   49842   IN  NS  a.root-servers.net.
.   49842   IN  NS  b.root-servers.net.
.   49842   IN  NS  c.root-servers.net.
.   49842   IN  NS  d.root-servers.net.
.   49842   IN  NS  e.root-servers.net.
.   49842   IN  NS  f.root-servers.net.
.   49842   IN  NS  g.root-servers.net.
.   49842   IN  NS  h.root-servers.net.
.   49842   IN  NS  i.root-servers.net.
;; ADDITIONAL SECTION:
j.root-servers.net. 49842   IN  A   192.58.128.30
a.root-servers.net. 49842   IN  A   198.41.0.4
b.root-servers.net. 49842   IN  A   192.228.79.201
c.root-servers.net. 49842   IN  A   192.33.4.12
d.root-servers.net. 49842   IN  A   128.8.10.90
e.root-servers.net. 49842   IN  A   192.203.230.10
f.root-servers.net. 49842   IN  A   192.5.5.241
g.root-servers.net. 49842   IN  A   192.112.36.4
h.root-servers.net. 49842   IN  A   128.63.2.53
i.root-servers.net. 49842   IN  A   192.36.148.17
;; Query time: 34 msec
;; SERVER: 10.0.0.1#53(10.132.1.13)
;; WHEN: Thu Mar 17 17:16:18 2011
;; MSG SIZE  rcvd: 401



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help to know about ROOT DNS query

2011-03-18 Thread Mark Andrews


In message 8423.3972...@web137314.mail.in.yahoo.com, babu dheen writes:
 Hi,
  
 Thanks for the response. But i read a article in sans.org website that inte=
 rnal DNS server should not respond to ROOT NS query.
  
  Please find the below URL for more information.
  
 http://isc1.sans.org/dnstest.html
 http://isc.sans.edu/diary.html?storyid=5713
  
  Kindly help me.

The query is being used to determine if the nameserver is offing
recursive services to machines it shouldn't.  There isn't anything
wrong the query itself or to returning the NS records if the
machine should be getting recursive service.

 --- On Thu, 17/3/11, Warren Kumari war...@kumari.net wrote:
 
 
 From: Warren Kumari war...@kumari.net
 Subject: Re: Need help to know about ROOT DNS query
 To: babu dheen babudh...@yahoo.co.in
 Cc: bind-users@lists.isc.org bind-users@lists.isc.org
 Date: Thursday, 17 March, 2011, 8:50 PM
 
 
 
 Nah, that's fine (and normal).
 
 
 BIND comes configured with the roots so that it can start resolution. I gue=
 ss I don't fully understand your concern here -- is it that you are worried=
  that the root might see queries and so know your internal hostnames?
 
 
 W
 
 
 Warren Kumari
 --Please excuse typing, etc -- This was sent from a device with a tiny =
 keyboard.
 
 On Mar 17, 2011, at 7:20 AM, babu dheen babudh...@yahoo.co.in wrote:
 
 
 
 
 
 
 
 
 
 Hi,
  
  We have two internal Windows DNS servers which answer all DNS query by f=
 orwarding it to gateway DNS server running in Redhat BIND. But i have a que=
 ry regarding allowing ROOT DNS query on internal DNS server.
  
 Can anyone let me know whether company Internal DNS server should respond t=
 o ROOT DNS query. When i execute # dig . NS @my-company-name-server query=
   I am getting complete response
  
  Let me know whether enabling ROOT DNS query is a security threat. For mo=
 re informaton can you read and help us to securely configure our company in=
 ternal Windows DNS server and its impact of disabling it.
  
  
 ;  DiG 9.3.3rc2  . NS @10.0.0.1
 ; (1 server found)
 ;; global options:  printcmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34899
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10
 ;; QUESTION SECTION:
 ;.=
   IN  NS
 ;; ANSWER SECTION:
 .   49842=
IN  NS  j.root-servers.net.
 .   49842=
IN  NS  k.root-servers.net.
 .   49842=
IN  NS  l.root-servers.net.
 .   49842=
IN  NS  m.root-servers.net.
 .   49842=
IN  NS  a.root-servers.net.
 .   49842=
IN  NS  b.root-servers.net.
 .   49842=
IN  NS  c.root-servers.net.
 .   49842=
IN  NS  d.root-servers.net.
 .   49842=
IN  NS  e.root-servers.net.
 .   49842=
IN  NS  f.root-servers.net.
 .   49842=
IN  NS  g.root-servers.net.
 .   49842=
IN  NS  h.root-servers.net.
 .   49842=
IN  NS  i.root-servers.net.
 ;; ADDITIONAL SECTION:
 j.root-servers.net. 49842   IN  A=
192.58.128.30
 a.root-servers.net. 49842   IN  A=
198.41.0.4
 b.root-servers.net. 49842   IN  A=
192.228.79.201
 c.root-servers.net. 49842   IN  A=
192.33.4.12
 d.root-servers.net. 49842   IN  A=
128.8.10.90
 e.root-servers.net. 49842   IN  A=
192.203.230.10
 f.root-servers.net. 49842   IN  A=
192.5.5.241
 g.root-servers.net. 49842   IN  A=
192.112.36.4
 h.root-servers.net. 49842   IN  A=
128.63.2.53
 i.root-servers.net. 49842   IN  A=
192.36.148.17
 ;; Query time: 34 msec
 ;; SERVER: 10.0.0.1#53(10.132.1.13)
 ;; WHEN: Thu Mar 17 17:16:18 2011
 ;; MSG SIZE  rcvd: 401
 
 
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users  
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help to know about ROOT DNS query

2011-03-17 Thread lst_hoe02


Zitat von babu dheen babudh...@yahoo.co.in:


Hi,
 
 We have two internal Windows DNS servers which answer all DNS query  
by forwarding it to gateway DNS server running in Redhat BIND. But i  
have a query regarding allowing ROOT DNS query on internal DNS server.


I guess it does not mean your internal servers should deliver results  
for query . NS because this is the default and no security risk at  
all. I suspect that the demand is for not using the forwarders but do  
DNS queries from within the network at its own by asking the root  
servers and the whole chain like dig +trace?


Regards

Andreas




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help to know about ROOT DNS query

2011-03-17 Thread Warren Kumari

Nah, that's fine (and normal).

BIND comes configured with the roots so that it can start resolution. I guess I 
don't fully understand your concern here -- is it that you are worried that the 
root might see queries and so know your internal hostnames?

W

Warren Kumari
--
Please excuse typing, etc -- This was sent from a device with a tiny keyboard.

On Mar 17, 2011, at 7:20 AM, babu dheen babudh...@yahoo.co.in wrote:

 Hi,
  
  We have two internal Windows DNS servers which answer all DNS query by 
 forwarding it to gateway DNS server running in Redhat BIND. But i have a 
 query regarding allowing ROOT DNS query on internal DNS server.
  
 Can anyone let me know whether company Internal DNS server should respond to 
 ROOT DNS query. When i execute # dig . NS @my-company-name-server query  I am 
 getting complete response
  
  Let me know whether enabling ROOT DNS query is a security threat. For more 
 informaton can you read and help us to securely configure our company 
 internal Windows DNS server and its impact of disabling it.
  
  
 ;  DiG 9.3.3rc2  . NS @10.0.0.1
 ; (1 server found)
 ;; global options:  printcmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34899
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10
 ;; QUESTION SECTION:
 ;.  IN  NS
 ;; ANSWER SECTION:
 .   49842   IN  NS  j.root-servers.net.
 .   49842   IN  NS  k.root-servers.net.
 .   49842   IN  NS  l.root-servers.net.
 .   49842   IN  NS  m.root-servers.net.
 .   49842   IN  NS  a.root-servers.net.
 .   49842   IN  NS  b.root-servers.net.
 .   49842   IN  NS  c.root-servers.net.
 .   49842   IN  NS  d.root-servers.net.
 .   49842   IN  NS  e.root-servers.net.
 .   49842   IN  NS  f.root-servers.net.
 .   49842   IN  NS  g.root-servers.net.
 .   49842   IN  NS  h.root-servers.net.
 .   49842   IN  NS  i.root-servers.net.
 ;; ADDITIONAL SECTION:
 j.root-servers.net. 49842   IN  A   192.58.128.30
 a.root-servers.net. 49842   IN  A   198.41.0.4
 b.root-servers.net. 49842   IN  A   192.228.79.201
 c.root-servers.net. 49842   IN  A   192.33.4.12
 d.root-servers.net. 49842   IN  A   128.8.10.90
 e.root-servers.net. 49842   IN  A192.203.230.10
 f.root-servers.net. 49842   IN  A   192.5.5.241
 g.root-servers.net. 49842   IN  A   192.112.36.4
 h.root-servers.net. 49842   IN  A   128.63.2.53
 i.root-servers.net. 49842   IN  A   192.36.148.17
 ;; Query time: 34 msec
 ;; SERVER: 10.0.0.1#53(10.132.1.13)
 ;; WHEN: Thu Mar 17 17:16:18 2011
 ;; MSG SIZE  rcvd: 401
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help to know about ROOT DNS query

Re: Need help to know about ROOT DNS query

Re: Need help to know about ROOT DNS query

Re: Need help to know about ROOT DNS query

Re: Need help to know about ROOT DNS query

5 matches

Site Navigation

Mail list logo

Footer information