testing vulnerability against secondary NS

Jeff Lightner jlightner at water.com
Tue Aug 12 14:06:15 UTC 2008


If it's a slave one way to force tests to it might be to temporarily
stop named on the primary so queries have to use the slave.

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Kevin Darcy
Sent: Tuesday, August 12, 2008 12:51 AM
To: bind-users at isc.org
Subject: Re: testing vulnerability against secondary NS

Chris Henderson wrote:
> I am testing the recent DNS vulnerability against my secondary name
server
> from my local machine
> ("dig @<ip_of_nameserver> +short porttest.dns-oarc.net TXT" and also
> "nslookup -querytype=TXT -timeout=10 porttest.dns-oarc.net.")
>
> But strangely it is giving me the result of my primary name server!
Every time
> I try to query, it gives me back my primary name server's result. I
also tried
> doxpara.com and https://www.dns-oarc.net/oarc/services/dnsentropy
>
> My local machine's /etc/resolv.conf has only one nameserver entry - my
> secondary name server.
>
> Also, if I try to resolve a hostname I can query my secondary name
server and
> get the answer back. So I know my secondary name server is working.
>
> Does anyone know how can I test the vuln. against my secondary name
server?
>
>   
Well, what's the config of your so-called "secondary nameserver"?

Does it just forward to the "primary"?

If so, then that's where the queries will be seen to originate, by the 
vulnerability-testing tools.

Another possibility is that you have a NAPT device multiplexing both 
your "primary" and "secondary" nameservers into single address. Since it

would need to use different port numbers to accomplish this, the exact 
implementation/configuration details of the NAPT would have an effect on

whether you get a "good" or "ok" result from the vulnerability-testing 
tools.

 

                  - Kevin
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------


More information about the bind-users mailing list