Tibo <t.lema...@tib1.com> said: > Leonardo Rodrigues a écrit : > > Tibo escreveu: > >> > >> I think I found it : fpdns -f NAMESERVER > >> > >> Is it always OK ? > > > > No, that's not always OK, because -f option of fpdns relies on the > > version.bind record, which i explained on my previous message that > > sometimes cant be queries and other times can fake some false version id. > > > > fpdns -f and the dig command i gave you queries exactly the same > > thing. > > > > none of those (which are in fact the sam thing) are 100% reliable for > > identifying remote dns server versions > > > > > Ok, I think if I tell my people to always let the version and the > solution with dig would be OK.
You can always define a "view" for the chaos class and only let your workstation get the results from this version.bind query. Everyone else would be blocked from obtaining this information. Many "security" people believe that releasing the bind.version information is a security issue. They do a "version.bind" query and if they get ANY answer they fell that this is a problem. I don't agree with them, but I have given up fighting them on this issue. Most of the time these security people are outside consultants that management is paying and they have management's ear with any "findings". The "fpdns" tool trys to determine the type/version of a DNS server by sending the server special queries which help to define this information. Unfortunately, multiple versions of BIND can respond to these special queries and so only provide a range of version information. Also, I have seen firewalls which block some of the queries fpdns uses, such as TCP ones, which make version identification even more difficult and/or impossible. Another possibility is to ASK the administrators of the other data centers for this information. All they have to do is run "named -v" to get this information. If you can't get them to do this for you, how do you expect to get them to reconfigure your named.conf to allow version.bind queries? I know that having the BIND version available by querying is nice, but it is also possible to configure this information to report bogus information in a format that would appear to be legitimate. Why "trust" these version.bind queries in the first place? Use the simple solution of asking the administrators. A simple question deserves a simple solution. Bill Larson
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
