Bind-9.5.0-P2 testing

Binmakhashen, Latif Latif.Binmakhashen at omnicare.com
Mon Aug 18 23:35:43 UTC 2008 

Good points Kevin!!!
 
1)  This is weird, the command line with the -v flag is showing the
right version but the output from the command is referring to an earlier
version which is not installed at all?
 
Internal DNS seems to refer to an older version that doesn't exist in
the system? I see something that maybe causing that so I'll investigate
this some more and will keep you guys updated.
 
# ./dig -v
DiG 9.5.0-P2
 
# ./dig version.bind chaos txt
 
; <<>> DiG 9.5.0-P2 <<>> version.bind chaos txt
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1704
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
 
;; QUESTION SECTION:
;version.bind.                  CH      TXT
 
;; ANSWER SECTION:
version.bind.           0       CH      TXT     "9.2.0"
 
;; Query time: 2 msec
;; SERVER: 172.16.1.48#53(172.16.1.48)
;; WHEN: Mon Aug 18 19:23:47 2008
;; MSG SIZE  rcvd: 48
 
 
External DNS is using the right binaries but same result?
 
# ./dig -v
DiG 9.5.0-P2
 
# ./dig version.bind chaos txt
 
; <<>> DiG 9.5.0-P2 <<>> version.bind chaos txt
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24343
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
 
;; QUESTION SECTION:
;version.bind.                  CH      TXT
 
;; ANSWER SECTION:
version.bind.           0       CH      TXT     ""
 
;; AUTHORITY SECTION:
version.bind.           0       CH      NS      version.bind.
 
;; Query time: 11 msec
;; SERVER: 10.0.0.3#53(10.0.0.3)
;; WHEN: Mon Aug 18 19:10:08 2008
;; MSG SIZE  rcvd: 57
 
# ./dig +short porttest.dns-oarc.net TXT
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.n
et.
"12.109.107.10 is POOR: 26 queries in 2.1 seconds from 1 ports with std
dev 0"
 
2) Yes, you're right we do have the query-source statement in the
named.conf and that is what I doubted when I saw the source port
randomness was POOR. What is your recommendations?
query-source address * port 53;
 
3) I'll check with the network admins. It's mentioned in the security
article but the network guy I want to talk to wasn't in today:
 
http://www.kb.cert.org/vuls/id/800113
 
 
 
Kind regards,
 
Latif Binmakhashen
Sr. Unix  Admin.
Omnicare Inc.
Direct Line: (614) 652-3217
latif.binmakhashen at omnicare.com
 
 
-- NOTICE --
This e-mail message is confidential, intended only for the named
recipient(s) above and may contain information that is privileged or
exempt from disclosure under applicable law. If you have received this
message in error, or are not the named recipient(s), please immediately
notify the sender and delete this e-mail message from your computer.
 
 
-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Kevin Darcy
Sent: Monday, August 18, 2008 7:09 PM
To: bind-users at isc.org
Subject: Re: Bind-9.5.0-P2 testing
 
Binmakhashen, Latif wrote:
> That's a very interesting question because I'm pretty much on the same
> boat. 
> I just upgraded to bind-9.5.0-P2 and was looking for a good tool that
> will show me if this version really fixes the DNS cache poisoning
issue.
>  
> I found the following tool which I believe is pretty good but it
> probably does more check than just the DNS cache poisoning... 
>  
> Go here and under Testing and Reporting Tools, run the DNS
Vulnerability
> Testing Tool => Test Now. 
>  
> http://www.infoblox.com/library/dns-security-center.cfm#2
>  
> I'm getting POOR for the Source Port randomness and GREAT for the
> transaction ID randomness. 
> Is that expected? Does the source port randomness has something to do
> with the way named.conf is setup?
>  
> Also, another test from the command line is showing a POOR result?
Refer
> to the following link for more info about the command line test:
>  
> https://www.dns-oarc.net/oarc/services/porttest
>  
> # dig @hpadm2 +short porttest.dns-oarc.net TXT
>
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.n
> et.
> "12.109.107.60 is POOR: 26 queries in 2.1 seconds from 1 ports with
std
> dev 0"
>  
>  
> Anybody has an idea? 
>  
>   
1. You're not using the binary you think you're using (try "dig 
version.bind chaos txt")
 
2. You have a "query-source" statement in named.conf
 
3. Some intermediate device -- DNS forwarder (if configured), firewall, 
PNAT -- is "de-randomizing" your packets.
 
 
      - Kevin
 
 


-- NOTICE -- 
The information transmitted is intended only for the person or
entity to which it is addressed and may contain confidential and/or
privileged material, the disclosure of which is governed by
applicable law. Any review, retransmission, dissemination or other
use of, or taking of any action in reliance upon, this information
by persons or entities other than the intended recipient is
prohibited. If you received this in error please contact the sender
and destroy the materials contained in this message.

More information about the bind-users mailing list