iquery and Cybercop Scanner
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Thu Apr 13 23:36:11 UTC 2000
> I am running BIND 8 patch lvl 5 on a Solaris 2.6 system. When I ran a
> recent install of Cybercop scanner it reported the following:
>
> "We suggest you do not compile your name daemon with IQUERY support.
> Keeping this support in you name daemon will allot intruders to poll
> zone transfers regardless of whether you allow them or not"
>
> Three questions on this:
>
> 1. At the version I am running am I still vulnerable. I saw a post on a
> bind mailing list saying this was fixed. So is this a false positive.
There are no known holes in the current iquery code (BIND 8.2.2-P5 /
BIND 8.2.3-TB2). It is also no longer possible to walk the IP
address space and get all the associated names via IQUERY which is
what the message above is about. It looks like Cybercop needs a
better probe routine that can determine the difference between
a fake iquery response ([ipaddress]) and a real iquery response
(domain name).
>
> 2. What would it hurt to compile this out?
In general no. By default iquery processing is turned off.
Turning it on (options { fake-iquery yes; };) only enables fake
iquery processing to satisfy broken clients that rely on iquery
answers (RFC 103[45] says that you should *not* use iqueries in
production clients).
>
> 3. How do I compile it out? Couldnt find a reference detailing the
> switche needed for the make.
There used to be a compile option that allowed full blown IQUERY
processing. The current code base only has fake iquery support
and is controlled by a configuration option.
To remove the code you would need to remove res_iquery() in
src/bin/named/ns_req.c.
Mark
>
> Thanks
>
> --
> -John
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
>
>
--
Mark Andrews, Nominum Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list