<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;"><DIV>Hi,</DIV>
<DIV> </DIV>
<DIV>Thanks for the response. But i read a article in sans.org website that internal DNS server should not respond to ROOT NS query.</DIV>
<DIV> </DIV>
<DIV> Please find the below URL for more information.</DIV>
<DIV> </DIV>
<DIV><A href="http://isc1.sans.org/dnstest.html" rel=nofollow target=_blank>http://isc1.sans.org/dnstest.html</A></DIV>
<DIV><A href="http://isc.sans.edu/diary.html?storyid=5713" rel=nofollow target=_blank>http://isc.sans.edu/diary.html?storyid=5713</A></DIV>
<DIV> </DIV>
<DIV> Kindly help me.<BR><BR><BR><BR>--- On <B>Thu, 17/3/11, Warren Kumari <I><warren@kumari.net></I></B> wrote:<BR></DIV>
<BLOCKQUOTE style="BORDER-LEFT: rgb(16,16,255) 2px solid; PADDING-LEFT: 5px; MARGIN-LEFT: 5px"><BR>From: Warren Kumari <warren@kumari.net><BR>Subject: Re: Need help to know about ROOT DNS query<BR>To: "babu dheen" <babudheen@yahoo.co.in><BR>Cc: "bind-users@lists.isc.org" <bind-users@lists.isc.org><BR>Date: Thursday, 17 March, 2011, 8:50 PM<BR><BR>
<DIV id=yiv487844257>
<DIV>Nah, that's fine (and normal).</DIV>
<DIV><BR></DIV>
<DIV>BIND comes configured with the roots so that it can start resolution. I guess I don't fully understand your concern here -- is it that you are worried that the root might see queries and so know your internal hostnames?</DIV>
<DIV><BR></DIV>
<DIV>W</DIV>
<DIV><BR>
<DIV>Warren Kumari</DIV>
<DIV>------</DIV>Please excuse typing, etc -- This was sent from a device with a tiny keyboard.</DIV>
<DIV><BR>On Mar 17, 2011, at 7:20 AM, babu dheen <<A href="http://in.mc1373.mail.yahoo.com/mc/compose?to=babudheen@yahoo.co.in" rel=nofollow target=_blank ymailto="mailto:babudheen@yahoo.co.in">babudheen@yahoo.co.in</A>> wrote:<BR><BR></DIV>
<DIV></DIV>
<BLOCKQUOTE type="cite">
<DIV>
<TABLE border=0 cellSpacing=0 cellPadding=0>
<TBODY>
<TR>
<TD vAlign=top>
<DIV>Hi,</DIV>
<DIV> </DIV>
<DIV> We have two internal Windows DNS servers which answer all DNS query by forwarding it to gateway DNS server running in Redhat BIND. But i have a query regarding allowing ROOT DNS query on internal DNS server.</DIV>
<DIV> </DIV>
<DIV>Can anyone let me know whether company Internal DNS server should respond to ROOT DNS query. When i execute # dig . NS @my-company-name-server query I am getting complete response</DIV>
<DIV> </DIV>
<DIV> Let me know whether enabling ROOT DNS query is a security threat. For more informaton can you read and help us to securely configure our company internal Windows DNS server and its impact of disabling it.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>; <<>> DiG 9.3.3rc2 <<>> . NS @10.0.0.1<BR>; (1 server found)<BR>;; global options: printcmd<BR>;; Got answer:<BR>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34899<BR>;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10</DIV>
<DIV>;; QUESTION SECTION:<BR>;. IN NS</DIV>
<DIV>;; ANSWER SECTION:<BR>. 49842 IN NS <A href="http://j.root-servers.net/" rel=nofollow target=_blank>j.root-servers.net</A>.<BR>. 49842 IN NS <A href="http://k.root-servers.net/" rel=nofollow target=_blank>k.root-servers.net</A>.<BR>. 49842 IN NS <A href="http://l.root-servers.net/" rel=nofollow
target=_blank>l.root-servers.net</A>.<BR>. 49842 IN NS <A href="http://m.root-servers.net/" rel=nofollow target=_blank>m.root-servers.net</A>.<BR>. 49842 IN NS <A href="http://a.root-servers.net/" rel=nofollow target=_blank>a.root-servers.net</A>.<BR>. 49842 IN NS <A href="http://b.root-servers.net/" rel=nofollow
target=_blank>b.root-servers.net</A>.<BR>. 49842 IN NS <A href="http://c.root-servers.net/" rel=nofollow target=_blank>c.root-servers.net</A>.<BR>. 49842 IN NS <A href="http://d.root-servers.net/" rel=nofollow target=_blank>d.root-servers.net</A>.<BR>. 49842 IN NS <A href="http://e.root-servers.net/" rel=nofollow
target=_blank>e.root-servers.net</A>.<BR>. 49842 IN NS <A href="http://f.root-servers.net/" rel=nofollow target=_blank>f.root-servers.net</A>.<BR>. 49842 IN NS <A href="http://g.root-servers.net/" rel=nofollow target=_blank>g.root-servers.net</A>.<BR>. 49842 IN NS <A href="http://h.root-servers.net/" rel=nofollow
target=_blank>h.root-servers.net</A>.<BR>. 49842 IN NS <A href="http://i.root-servers.net/" rel=nofollow target=_blank>i.root-servers.net</A>.</DIV>
<DIV>;; ADDITIONAL SECTION:<BR><A href="http://j.root-servers.net/" rel=nofollow target=_blank>j.root-servers.net</A>. 49842 IN A 192.58.128.30<BR><A href="http://a.root-servers.net/" rel=nofollow target=_blank>a.root-servers.net</A>. 49842 IN A 198.41.0.4<BR><A href="http://b.root-servers.net/" rel=nofollow target=_blank>b.root-servers.net</A>. 49842 IN A 192.228.79.201<BR><A href="http://c.root-servers.net/" rel=nofollow target=_blank>c.root-servers.net</A>. 49842 IN A 192.33.4.12<BR><A href="http://d.root-servers.net/" rel=nofollow
target=_blank>d.root-servers.net</A>. 49842 IN A 128.8.10.90<BR><A href="http://e.root-servers.net/" rel=nofollow target=_blank>e.root-servers.net</A>. 49842 IN A 192.203.230.10<BR><A href="http://f.root-servers.net/" rel=nofollow target=_blank>f.root-servers.net</A>. 49842 IN A 192.5.5.241<BR><A href="http://g.root-servers.net/" rel=nofollow target=_blank>g.root-servers.net</A>. 49842 IN A 192.112.36.4<BR><A href="http://h.root-servers.net/" rel=nofollow target=_blank>h.root-servers.net</A>. 49842
IN A 128.63.2.53<BR><A href="http://i.root-servers.net/" rel=nofollow target=_blank>i.root-servers.net</A>. 49842 IN A 192.36.148.17</DIV>
<DIV>;; Query time: 34 msec<BR>;; SERVER: 10.0.0.1#53(10.132.1.13)<BR>;; WHEN: Thu Mar 17 17:16:18 2011<BR>;; MSG SIZE rcvd: 401<BR></DIV></TD></TR></TBODY></TABLE><BR></DIV></BLOCKQUOTE>
<BLOCKQUOTE type="cite">
<DIV><SPAN>_______________________________________________</SPAN><BR><SPAN>bind-users mailing list</SPAN><BR><SPAN><A href="http://in.mc1373.mail.yahoo.com/mc/compose?to=bind-users@lists.isc.org" rel=nofollow target=_blank ymailto="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</A></SPAN><BR><SPAN><A href="https://lists.isc.org/mailman/listinfo/bind-users" rel=nofollow target=_blank>https://lists.isc.org/mailman/listinfo/bind-users</A></SPAN></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></td></tr></table><br>