On 8/28/15 9:19 AM, Bob McDonald wrote: > It appears that receiving an NSID response depends on having server-id > set in the options block. However, I'm seeing no way to restrict such > queries.
You don't have to set the server-id information to anything that an external entity would find interesting. Set the server-ids to "1", "2", "3", or <binary blob 1>, <binary blob 2>, <binary blob 3> and you are set. The magic of NSID is that you are able to use it "through" load balancers, etc. Do a "normal" A record lookup, set the NSID bit and you still get the A record, but in addition, you get the server-id information from the server that actually responded to the request. Please remember that even if you are doing your best at hiding all of the information that is kept in the "easter egg zones", there are other ways to determine the type/location/whatever of your nameservers. fpdns may be undermining almost all of your efforts. And, my last input of the day: Script kiddies are going to "shotgun" attacks against your nameserver - they don't care about the version data provided. Targeted attacks are going to be much more deliberate and they are going to be much more intelligent than basing the attack on the chaos data provided by your nameserver - They don't care about the version data provided. AlanC -- When I do still catch the odd glimpse, it's peripheral; mere fragments of mad-doctor chrome, confining themselves to the corner of the eye.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
