Need help to know about ROOT DNS query
babu dheen
babudheen at yahoo.co.in
Fri Mar 18 08:29:54 UTC 2011
Hi,
Thanks for the response. But i read a article in sans.org website that internal DNS server should not respond to ROOT NS query.
Please find the below URL for more information.
http://isc1.sans.org/dnstest.html
http://isc.sans.edu/diary.html?storyid=5713
Kindly help me.
--- On Thu, 17/3/11, Warren Kumari <warren at kumari.net> wrote:
From: Warren Kumari <warren at kumari.net>
Subject: Re: Need help to know about ROOT DNS query
To: "babu dheen" <babudheen at yahoo.co.in>
Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Date: Thursday, 17 March, 2011, 8:50 PM
Nah, that's fine (and normal).
BIND comes configured with the roots so that it can start resolution. I guess I don't fully understand your concern here -- is it that you are worried that the root might see queries and so know your internal hostnames?
W
Warren Kumari
------Please excuse typing, etc -- This was sent from a device with a tiny keyboard.
On Mar 17, 2011, at 7:20 AM, babu dheen <babudheen at yahoo.co.in> wrote:
Hi,
We have two internal Windows DNS servers which answer all DNS query by forwarding it to gateway DNS server running in Redhat BIND. But i have a query regarding allowing ROOT DNS query on internal DNS server.
Can anyone let me know whether company Internal DNS server should respond to ROOT DNS query. When i execute # dig . NS @my-company-name-server query I am getting complete response
Let me know whether enabling ROOT DNS query is a security threat. For more informaton can you read and help us to securely configure our company internal Windows DNS server and its impact of disabling it.
; <<>> DiG 9.3.3rc2 <<>> . NS @10.0.0.1
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34899
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 49842 IN NS j.root-servers.net.
. 49842 IN NS k.root-servers.net.
. 49842 IN NS l.root-servers.net.
. 49842 IN NS m.root-servers.net.
. 49842 IN NS a.root-servers.net.
. 49842 IN NS b.root-servers.net.
. 49842 IN NS c.root-servers.net.
. 49842 IN NS d.root-servers.net.
. 49842 IN NS e.root-servers.net.
. 49842 IN NS f.root-servers.net.
. 49842 IN NS g.root-servers.net.
. 49842 IN NS h.root-servers.net.
. 49842 IN NS i.root-servers.net.
;; ADDITIONAL SECTION:
j.root-servers.net. 49842 IN A 192.58.128.30
a.root-servers.net. 49842 IN A 198.41.0.4
b.root-servers.net. 49842 IN A 192.228.79.201
c.root-servers.net. 49842 IN A 192.33.4.12
d.root-servers.net. 49842 IN A 128.8.10.90
e.root-servers.net. 49842 IN A 192.203.230.10
f.root-servers.net. 49842 IN A 192.5.5.241
g.root-servers.net. 49842 IN A 192.112.36.4
h.root-servers.net. 49842 IN A 128.63.2.53
i.root-servers.net. 49842 IN A 192.36.148.17
;; Query time: 34 msec
;; SERVER: 10.0.0.1#53(10.132.1.13)
;; WHEN: Thu Mar 17 17:16:18 2011
;; MSG SIZE rcvd: 401
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110318/1fc0c818/attachment.html>
More information about the bind-users
mailing list