Troubleshooting Information
Alan Clegg
alan at clegg.com
Fri Aug 28 13:43:40 UTC 2015
On 8/28/15 9:19 AM, Bob McDonald wrote:
> It appears that receiving an NSID response depends on having server-id
> set in the options block. However, I'm seeing no way to restrict such
> queries.
You don't have to set the server-id information to anything that an
external entity would find interesting. Set the server-ids to "1", "2",
"3", or <binary blob 1>, <binary blob 2>, <binary blob 3> and you are set.
The magic of NSID is that you are able to use it "through" load
balancers, etc.
Do a "normal" A record lookup, set the NSID bit and you still get the A
record, but in addition, you get the server-id information from the
server that actually responded to the request.
Please remember that even if you are doing your best at hiding all of
the information that is kept in the "easter egg zones", there are other
ways to determine the type/location/whatever of your nameservers.
fpdns may be undermining almost all of your efforts.
And, my last input of the day: Script kiddies are going to "shotgun"
attacks against your nameserver - they don't care about the version data
provided.
Targeted attacks are going to be much more deliberate and they are going
to be much more intelligent than basing the attack on the chaos data
provided by your nameserver - They don't care about the version data
provided.
AlanC
--
When I do still catch the odd glimpse, it's peripheral; mere fragments
of mad-doctor chrome, confining themselves to the corner of the eye.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 561 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150828/695f575f/attachment.bin>
More information about the bind-users
mailing list