Need help to know about ROOT DNS query
Mark Andrews
marka at isc.org
Fri Mar 18 09:45:22 UTC 2011
In message <8423.3972.qm at web137314.mail.in.yahoo.com>, babu dheen writes:
> Hi,
>
> Thanks for the response. But i read a article in sans.org website that inte=
> rnal DNS server should not respond to ROOT NS query.
>
> Please find the below URL for more information.
>
> http://isc1.sans.org/dnstest.html
> http://isc.sans.edu/diary.html?storyid=5713
>
> Kindly help me.
The query is being used to determine if the nameserver is offing
recursive services to machines it shouldn't. There isn't anything
wrong the query itself or to returning the NS records if the
machine should be getting recursive service.
> --- On Thu, 17/3/11, Warren Kumari <warren at kumari.net> wrote:
>
>
> From: Warren Kumari <warren at kumari.net>
> Subject: Re: Need help to know about ROOT DNS query
> To: "babu dheen" <babudheen at yahoo.co.in>
> Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
> Date: Thursday, 17 March, 2011, 8:50 PM
>
>
>
> Nah, that's fine (and normal).
>
>
> BIND comes configured with the roots so that it can start resolution. I gue=
> ss I don't fully understand your concern here -- is it that you are worried=
> that the root might see queries and so know your internal hostnames?
>
>
> W
>
>
> Warren Kumari
> ------Please excuse typing, etc -- This was sent from a device with a tiny =
> keyboard.
>
> On Mar 17, 2011, at 7:20 AM, babu dheen <babudheen at yahoo.co.in> wrote:
>
>
>
>
>
>
>
>
>
> Hi,
>
> We have two internal Windows DNS servers which answer all DNS query by f=
> orwarding it to gateway DNS server running in Redhat BIND. But i have a que=
> ry regarding allowing ROOT DNS query on internal DNS server.
>
> Can anyone let me know whether company Internal DNS server should respond t=
> o ROOT DNS query. When i execute # dig . NS @my-company-name-server query=
> I am getting complete response
>
> Let me know whether enabling ROOT DNS query is a security threat. For mo=
> re informaton can you read and help us to securely configure our company in=
> ternal Windows DNS server and its impact of disabling it.
>
>
> ; <<>> DiG 9.3.3rc2 <<>> . NS @10.0.0.1
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34899
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10
> ;; QUESTION SECTION:
> ;. =
> IN NS
> ;; ANSWER SECTION:
> . 49842=
> IN NS j.root-servers.net.
> . 49842=
> IN NS k.root-servers.net.
> . 49842=
> IN NS l.root-servers.net.
> . 49842=
> IN NS m.root-servers.net.
> . 49842=
> IN NS a.root-servers.net.
> . 49842=
> IN NS b.root-servers.net.
> . 49842=
> IN NS c.root-servers.net.
> . 49842=
> IN NS d.root-servers.net.
> . 49842=
> IN NS e.root-servers.net.
> . 49842=
> IN NS f.root-servers.net.
> . 49842=
> IN NS g.root-servers.net.
> . 49842=
> IN NS h.root-servers.net.
> . 49842=
> IN NS i.root-servers.net.
> ;; ADDITIONAL SECTION:
> j.root-servers.net. 49842 IN A =
> 192.58.128.30
> a.root-servers.net. 49842 IN A =
> 198.41.0.4
> b.root-servers.net. 49842 IN A =
> 192.228.79.201
> c.root-servers.net. 49842 IN A =
> 192.33.4.12
> d.root-servers.net. 49842 IN A =
> 128.8.10.90
> e.root-servers.net. 49842 IN A =
> 192.203.230.10
> f.root-servers.net. 49842 IN A =
> 192.5.5.241
> g.root-servers.net. 49842 IN A =
> 192.112.36.4
> h.root-servers.net. 49842 IN A =
> 128.63.2.53
> i.root-servers.net. 49842 IN A =
> 192.36.148.17
> ;; Query time: 34 msec
> ;; SERVER: 10.0.0.1#53(10.132.1.13)
> ;; WHEN: Thu Mar 17 17:16:18 2011
> ;; MSG SIZE rcvd: 401
>
>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list