In message <8423.3972...@web137314.mail.in.yahoo.com>, babu dheen writes: > Hi, > > Thanks for the response. But i read a article in sans.org website that inte= > rnal DNS server should not respond to ROOT NS query. > > Please find the below URL for more information. > > http://isc1.sans.org/dnstest.html > http://isc.sans.edu/diary.html?storyid=5713 > > Kindly help me.
The query is being used to determine if the nameserver is offing recursive services to machines it shouldn't. There isn't anything wrong the query itself or to returning the NS records if the machine should be getting recursive service. > --- On Thu, 17/3/11, Warren Kumari <war...@kumari.net> wrote: > > > From: Warren Kumari <war...@kumari.net> > Subject: Re: Need help to know about ROOT DNS query > To: "babu dheen" <babudh...@yahoo.co.in> > Cc: "bind-users@lists.isc.org" <bind-users@lists.isc.org> > Date: Thursday, 17 March, 2011, 8:50 PM > > > > Nah, that's fine (and normal). > > > BIND comes configured with the roots so that it can start resolution. I gue= > ss I don't fully understand your concern here -- is it that you are worried= > that the root might see queries and so know your internal hostnames? > > > W > > > Warren Kumari > ------Please excuse typing, etc -- This was sent from a device with a tiny = > keyboard. > > On Mar 17, 2011, at 7:20 AM, babu dheen <babudh...@yahoo.co.in> wrote: > > > > > > > > > > Hi, > > We have two internal Windows DNS servers which answer all DNS query by f= > orwarding it to gateway DNS server running in Redhat BIND. But i have a que= > ry regarding allowing ROOT DNS query on internal DNS server. > > Can anyone let me know whether company Internal DNS server should respond t= > o ROOT DNS query. When i execute # dig . NS @my-company-name-server query= > I am getting complete response > > Let me know whether enabling ROOT DNS query is a security threat. For mo= > re informaton can you read and help us to securely configure our company in= > ternal Windows DNS server and its impact of disabling it. > > > ; <<>> DiG 9.3.3rc2 <<>> . NS @10.0.0.1 > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34899 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10 > ;; QUESTION SECTION: > ;. = > IN NS > ;; ANSWER SECTION: > . 49842= > IN NS j.root-servers.net. > . 49842= > IN NS k.root-servers.net. > . 49842= > IN NS l.root-servers.net. > . 49842= > IN NS m.root-servers.net. > . 49842= > IN NS a.root-servers.net. > . 49842= > IN NS b.root-servers.net. > . 49842= > IN NS c.root-servers.net. > . 49842= > IN NS d.root-servers.net. > . 49842= > IN NS e.root-servers.net. > . 49842= > IN NS f.root-servers.net. > . 49842= > IN NS g.root-servers.net. > . 49842= > IN NS h.root-servers.net. > . 49842= > IN NS i.root-servers.net. > ;; ADDITIONAL SECTION: > j.root-servers.net. 49842 IN A = > 192.58.128.30 > a.root-servers.net. 49842 IN A = > 198.41.0.4 > b.root-servers.net. 49842 IN A = > 192.228.79.201 > c.root-servers.net. 49842 IN A = > 192.33.4.12 > d.root-servers.net. 49842 IN A = > 128.8.10.90 > e.root-servers.net. 49842 IN A = > 192.203.230.10 > f.root-servers.net. 49842 IN A = > 192.5.5.241 > g.root-servers.net. 49842 IN A = > 192.112.36.4 > h.root-servers.net. 49842 IN A = > 128.63.2.53 > i.root-servers.net. 49842 IN A = > 192.36.148.17 > ;; Query time: 34 msec > ;; SERVER: 10.0.0.1#53(10.132.1.13) > ;; WHEN: Thu Mar 17 17:16:18 2011 > ;; MSG SIZE rcvd: 401 > > > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
