iquery and Cybercop Scanner

[Mark.Andrews at nominum.com]

>  I am running BIND 8 patch lvl 5 on a Solaris 2.6 system. When I ran a
> recent install of Cybercop scanner it reported the following:
> 
> "We suggest you do not compile your name daemon with IQUERY support.
> Keeping this support in you name daemon will allot intruders to poll
> zone transfers regardless of whether you allow them or not"
> 
> Three questions on this:
> 
> 1. At the version I am running am I still vulnerable. I saw a post on a
> bind mailing list saying this was fixed. So is this a false positive.

	There are no known holes in the current iquery code (BIND 8.2.2-P5 /
	BIND 8.2.3-TB2).  It is also no longer possible to walk the IP
	address space and get all the associated names via IQUERY which is
	what the message above is about.  It looks like Cybercop needs a
	better probe routine that can determine the difference between
	a fake iquery response ([ipaddress]) and a real iquery response
	(domain name).
> 
> 2. What would it hurt to compile this out?

	In general no.  By default iquery processing is turned off.
	Turning it on (options { fake-iquery yes; };) only enables fake
	iquery processing to satisfy broken clients that rely on iquery
	answers (RFC 103[45] says that you should *not* use iqueries in
	production clients).

> 
> 3. How do I compile it out? Couldnt find a reference detailing the
> switche needed for the make.

	There used to be a compile option that allowed full blown IQUERY
	processing.  The current code base only has fake iquery support
	and is controlled by a configuration option.

	To remove the code you would need to remove res_iquery() in
	src/bin/named/ns_req.c.

	Mark
> 
> Thanks
> 
> --
> -John
> 
> 
> Sent via Deja.com http://www.deja.com/
> Before you buy.
> 
> 
--
Mark Andrews, Nominum Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com