cname quick question
Brad Knowles
brad.knowles at skynet.be
Thu Mar 8 21:12:56 UTC 2001
At 6:48 PM +0000 3/8/01, Jim Reid wrote:
> Try rfc1035.org. However 2 of the name servers for this zone don't
> seem to like DNAME records. They still answer with the old version of
> the zone, so I presume either named-xfer or named is barfing on the
> DNAME. Oh well.
Either way, the zone isn't being transferred. I see two
different SOA serial numbers for this zone (2001030800 from
gns1.nominum.com, gns2.nominum.com, & ns0.rfc1035.com; while I get
2000092500 from ns-ext.vix.com and ns1.bt.net). It also seems that
ns1.bt.net is answering non-authoritatively:
$ dig @ns1.bt.net. rfc1035.org. any
; <<>> DiG 8.1 <<>> @ns1.bt.net. rfc1035.org. any
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 5, ADDITIONAL: 5
^^^^^^^^^^^^^^^^^^^ Note lack of "aa" field here
;; QUERY SECTION:
;; rfc1035.org, type = ANY, class = IN
;; ANSWER SECTION:
rfc1035.org. 21h10m47s IN NS ns1.bt.net.
rfc1035.org. 21h10m47s IN NS ns1.rfc1035.com.
rfc1035.org. 21h10m47s IN NS ns2.rfc1035.com.
rfc1035.org. 21h10m47s IN NS ns-ext.vix.com.
rfc1035.org. 21h10m47s IN NS ns0.rfc1035.com.
rfc1035.org. 21h10m48s IN SOA gromit.rfc1035.com.
hostmaster.rfc1035.com. (
2000092500 ; serial
3H ; refresh
1H ; retry
4w2d ; expiry
1D ) ; minimum
;; AUTHORITY SECTION:
rfc1035.org. 21h10m47s IN NS ns1.bt.net.
rfc1035.org. 21h10m47s IN NS ns1.rfc1035.com.
rfc1035.org. 21h10m47s IN NS ns2.rfc1035.com.
rfc1035.org. 21h10m47s IN NS ns-ext.vix.com.
rfc1035.org. 21h10m47s IN NS ns0.rfc1035.com.
;; ADDITIONAL SECTION:
ns1.bt.net. 1D IN A 194.72.6.52
ns1.rfc1035.com. 1D IN A 198.133.199.1
ns2.rfc1035.com. 1D IN A 198.133.199.2
ns-ext.vix.com. 1d14h11m55s IN A 204.152.184.64
ns0.rfc1035.com. 1D IN A 62.6.242.6
;; Total query time: 217 msec
;; WHEN: Thu Mar 8 16:15:02 2001
;; MSG SIZE sent: 29 rcvd: 347
Strangely, it also seems that gns1.nominum.com and
gns2.nominum.com are lame delegations -- they appear in the list from
the parent servers, but not in the list from the authoritative
servers:
$ dig @a.gtld-servers.net. rfc1035.org. any
; <<>> DiG 8.1 <<>> @a.gtld-servers.net. rfc1035.org. any
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd; QUERY: 1, ANSWER: 5, AUTHORITY: 5, ADDITIONAL: 5
;; QUERY SECTION:
;; rfc1035.org, type = ANY, class = IN
;; ANSWER SECTION:
rfc1035.org. 2D IN NS NS1.BT.NET.
rfc1035.org. 2D IN NS NS-EXT.VIX.COM.
rfc1035.org. 2D IN NS NS0.RFC1035.COM.
rfc1035.org. 2D IN NS GNS2.NOMINUM.COM.
rfc1035.org. 2D IN NS GNS1.NOMINUM.COM.
;; AUTHORITY SECTION:
rfc1035.org. 2D IN NS NS1.BT.NET.
rfc1035.org. 2D IN NS NS-EXT.VIX.COM.
rfc1035.org. 2D IN NS NS0.RFC1035.COM.
rfc1035.org. 2D IN NS GNS2.NOMINUM.COM.
rfc1035.org. 2D IN NS GNS1.NOMINUM.COM.
;; ADDITIONAL SECTION:
NS1.BT.NET. 2D IN A 194.72.6.52
NS-EXT.VIX.COM. 2D IN A 204.152.184.64
NS0.RFC1035.COM. 2D IN A 62.6.242.6
GNS2.NOMINUM.COM. 2D IN A 198.133.199.2
GNS1.NOMINUM.COM. 2D IN A 198.133.199.1
;; Total query time: 92 msec
;; WHEN: Thu Mar 8 16:17:25 2001
;; MSG SIZE sent: 29 rcvd: 303
$ dig @NS0.RFC1035.COM. rfc1035.org. any
; <<>> DiG 8.1 <<>> @NS0.RFC1035.COM. rfc1035.org. any
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 5, ADDITIONAL: 5
;; QUERY SECTION:
;; rfc1035.org, type = ANY, class = IN
;; ANSWER SECTION:
rfc1035.org. 1D IN SOA gromit.rfc1035.com.
hostmaster.rfc1035.com. (
2001030800 ; serial
3H ; refresh
1H ; retry
4w2d ; expiry
1D ) ; minimum
rfc1035.org. 1D IN TXT "$Id: rfc1035.org,v 1.4
2001/03/08 18:04:40 jim Exp $"
rfc1035.org. 1D IN NS ns2.rfc1035.com.
rfc1035.org. 1D IN NS ns-ext.vix.com.
rfc1035.org. 1D IN NS ns0.rfc1035.com.
rfc1035.org. 1D IN NS ns1.bt.net.
rfc1035.org. 1D IN NS ns1.rfc1035.com.
rfc1035.org. 1D IN 39 \#( ; unknown RR type
07 72 66 63 31 30 33 35 03 63 6f 6d 00 ) ; .rfc1035.com.
rfc1035.org. 1D IN MX 30 relay1.bt.net.
rfc1035.org. 1D IN MX 10 gromit.rfc1035.com.
rfc1035.org. 1D IN MX 20 relay2.bt.net.
;; AUTHORITY SECTION:
rfc1035.org. 1D IN NS ns1.bt.net.
rfc1035.org. 1D IN NS ns1.rfc1035.com.
rfc1035.org. 1D IN NS ns2.rfc1035.com.
rfc1035.org. 1D IN NS ns-ext.vix.com.
rfc1035.org. 1D IN NS ns0.rfc1035.com.
;; ADDITIONAL SECTION:
ns0.rfc1035.com. 1D IN A 62.6.242.6
ns1.rfc1035.com. 1D IN A 198.133.199.1
ns2.rfc1035.com. 1D IN A 198.133.199.2
gromit.rfc1035.com. 1D IN A 62.6.242.6
gromit.rfc1035.com. 1D IN A 62.6.242.9
;; Total query time: 320 msec
;; WHEN: Thu Mar 8 16:18:31 2001
;; MSG SIZE sent: 29 rcvd: 499
$ dig @ns-ext.vix.com. rfc1035.org. any
; <<>> DiG 8.1 <<>> @ns-ext.vix.com. rfc1035.org. any
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr aa rd; QUERY: 1, ANSWER: 10, AUTHORITY: 5, ADDITIONAL: 6
;; QUERY SECTION:
;; rfc1035.org, type = ANY, class = IN
;; ANSWER SECTION:
rfc1035.org. 1D IN TXT "$Id: rfc1035.org,v 1.3
2000/09/25 11:44:52 jim Exp $"
rfc1035.org. 1D IN MX 10 gromit.rfc1035.com.
rfc1035.org. 1D IN MX 20 relay2.bt.net.
rfc1035.org. 1D IN MX 30 relay1.bt.net.
rfc1035.org. 1D IN NS ns0.rfc1035.com.
rfc1035.org. 1D IN NS ns1.rfc1035.com.
rfc1035.org. 1D IN NS ns2.rfc1035.com.
rfc1035.org. 1D IN NS ns1.bt.net.
rfc1035.org. 1D IN NS ns-ext.vix.com.
rfc1035.org. 1D IN SOA gromit.rfc1035.com.
hostmaster.rfc1035.com. (
2000092500 ; serial
3H ; refresh
1H ; retry
4w2d ; expiry
1D ) ; minimum
;; AUTHORITY SECTION:
rfc1035.org. 1D IN NS ns0.rfc1035.com.
rfc1035.org. 1D IN NS ns1.rfc1035.com.
rfc1035.org. 1D IN NS ns2.rfc1035.com.
rfc1035.org. 1D IN NS ns1.bt.net.
rfc1035.org. 1D IN NS ns-ext.vix.com.
;; ADDITIONAL SECTION:
gromit.rfc1035.com. 1D IN A 62.6.242.6
gromit.rfc1035.com. 1D IN A 62.6.242.9
ns0.rfc1035.com. 1D IN A 62.6.242.6
ns1.rfc1035.com. 1D IN A 198.133.199.1
ns2.rfc1035.com. 1D IN A 198.133.199.2
ns-ext.vix.com. 1H IN A 204.152.184.64
;; Total query time: 201 msec
;; WHEN: Thu Mar 8 16:19:23 2001
;; MSG SIZE sent: 29 rcvd: 490
I also find it interesting that the Nominum GNS servers don't
appear to be capable of understanding DNAME records, either:
$ dig @gns1.nominum.com. rfc1035.org. any
; <<>> DiG 8.1 <<>> @gns1.nominum.com. rfc1035.org. any
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr aa rd; QUERY: 1, ANSWER: 11, AUTHORITY: 5, ADDITIONAL: 0
;; QUERY SECTION:
;; rfc1035.org, type = ANY, class = IN
;; ANSWER SECTION:
rfc1035.org. 1D IN SOA gromit.rfc1035.com.
hostmaster.rfc1035.com. (
2001030800 ; serial
3H ; refresh
1H ; retry
4w2d ; expiry
1D ) ; minimum
rfc1035.org. 1D IN NS ns-ext.vix.com.
rfc1035.org. 1D IN NS ns0.rfc1035.com.
rfc1035.org. 1D IN NS ns1.bt.net.
rfc1035.org. 1D IN NS ns1.rfc1035.com.
rfc1035.org. 1D IN NS ns2.rfc1035.com.
rfc1035.org. 1D IN MX 30 relay1.bt.net.
rfc1035.org. 1D IN MX 10 gromit.rfc1035.com.
rfc1035.org. 1D IN MX 20 relay2.bt.net.
rfc1035.org. 1D IN TXT "$Id: rfc1035.org,v 1.4
2001/03/08 18:04:40 jim Exp $"
rfc1035.org. 1D IN 39 \#( ; unknown RR type
07 72 66 63 31 30 33 35 03 63 6f 6d 00 ) ; .rfc1035.com.
;; AUTHORITY SECTION:
rfc1035.org. 1D IN NS ns1.rfc1035.com.
rfc1035.org. 1D IN NS ns2.rfc1035.com.
rfc1035.org. 1D IN NS ns-ext.vix.com.
rfc1035.org. 1D IN NS ns0.rfc1035.com.
rfc1035.org. 1D IN NS ns1.bt.net.
;; Total query time: 205 msec
;; WHEN: Thu Mar 8 16:20:51 2001
;; MSG SIZE sent: 29 rcvd: 419
Hmm, you also don't seem to have updated this machine to BIND 9.1.1:
$ dig @ns0.rfc1035.com. version.bind. txt chaos
; <<>> DiG 8.1 <<>> @ns0.rfc1035.com. version.bind. txt chaos
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; version.bind, type = TXT, class = CHAOS
;; ANSWER SECTION:
version.bind. 0S CHAOS TXT "9.1.0"
;; Total query time: 209 msec
;; WHEN: Thu Mar 8 16:24:11 2001
;; MSG SIZE sent: 30 rcvd: 48
And the GNS servers don't seem to respond to this query at all:
$ dig @gns1.nominum.com. version.bind. txt chaos
; <<>> DiG 8.1 <<>> @gns1.nominum.com. version.bind. txt chaos
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 10
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; version.bind, type = TXT, class = CHAOS
;; Total query time: 137 msec
;; WHEN: Thu Mar 8 16:25:02 2001
;; MSG SIZE sent: 30 rcvd: 30
Nor does ns1.bt.net, but I'm glad to see that ns-ext.vix.com is
claiming to be running BIND 8.2.3:
$ dig @ns-ext.vix.com. version.bind. txt chaos
; <<>> DiG 8.1 <<>> @ns-ext.vix.com. version.bind. txt chaos
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; version.bind, type = TXT, class = CHAOS
;; ANSWER SECTION:
VERSION.BIND. 0S CHAOS TXT "8.2.3-REL"
;; Total query time: 141 msec
;; WHEN: Thu Mar 8 16:24:44 2001
;; MSG SIZE sent: 30 rcvd: 64
Strangely, ns1.bt.net appears to be a caching recursive server:
$ dig @ns1.bt.net. www.aol.com. any
; <<>> DiG 8.1 <<>> @ns1.bt.net. www.aol.com. any
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;; www.aol.com, type = ANY, class = IN
;; ANSWER SECTION:
www.aol.com. 1H IN CNAME aol.com.
;; AUTHORITY SECTION:
aol.com. 1H IN NS dns-01.ns.aol.com.
aol.com. 1H IN NS dns-02.ns.aol.com.
;; ADDITIONAL SECTION:
dns-01.ns.aol.com. 1H IN A 152.163.159.232
dns-02.ns.aol.com. 1H IN A 205.188.157.232
;; Total query time: 250 msec
;; WHEN: Thu Mar 8 16:28:34 2001
;; MSG SIZE sent: 29 rcvd: 120
I'd be willing to bet that this machine is running BIND
4.something, and is highly susceptible to cache poisoning attacks,
etc.... Does anyone know the proper tests to perform to see if this
machine is actually vulnerable to the standard cache poisoning
attacks, or to at least try to determine what version of BIND it
appears to be running on the basis of the way it replies to certain
types of queries (kind of like TCP/IP stack fingerprinting, as
performed by nmap & queso)?
--
Brad Knowles, <brad.knowles at skynet.be>
#!/usr/bin/perl -w
# 531-byte qrpff-fast, Keith Winstein and Marc Horowitz <sipb-iap-dvd at mit.edu>
# MPEG 2 PS VOB file on stdin -> descrambled output on stdout
# arguments: title key bytes in least to most-significant order
# Usage:
# qrpff 153 2 8 105 225 /mnt/dvd/VOB_FILE_NAME | extract_mpeg2 | mpeg2_dec -
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map{$_%16or$t^=$c^=(
$m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72, at z=(64,72,$a^=12*($_%16
-2?0:$m&17)),$b^=$_%64?12:0, at z)[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h
=5;$_=unxb24,join"", at b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$
d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d>>12^$d>>4^
$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9,$_=$t[$_]^
(($h>>=8)+=$f+(~$g&$t))for at a[128..$#a]}print+x"C*", at a}';s/x/pack+/g;eval
More information about the bind-users
mailing list