Re: DNS zone transfer

From: Jefferson Ogata (seclistsat_private)
Date: Tue Jun 11 2002 - 16:28:51 PDT

  • Next message: gobblesat_private: "Remote Hole in IRC Client and Stuff"

    Edwin Groothuis wrote:
     > On Sun, Jun 09, 2002 at 05:35:41PM +0200, Ralf Vitasek wrote:
     >> what *good* use anyone could have for such a thing?
     >
     > Auditing. Not all information gathering is used for bad purposes :-)
     >
     > For example, I've developed an DNS auditing system to check the state of
     > health of our servers, the ones which we (were) delegated (delegating)
     > to... Warnings kept popping up for weeks after the transfers of domain
     > from a remote server to us or from us to another remote server. If you
     > don't check and complain your DNS-network is going to be a mess, mail
     > won't be transfered anymore, hosts will resolve wrong and all kind of
     > things based on hostname-authorisations will go bad.
    
    With BIND it's possible to accomplish this type of auditing strictly by
    examining the DNS message log, as long as NOTIFY functionality is enabled.
    
    If you are running a master:
    
    - To check if all slaves are configured to mirror all your zones, update the
    serial number in all your master files and reload. Your server will send
    NOTIFY messages to all the slaves. If the slaves are correctly configured they
    will perform a zone transfer. Both the NOTIFY messages and the zone transfers
    will by default be recorded in your message log. Make sure there is a matching
    zone transfer to every slave for each zone you master.
    
    You can also do this without updating the serial number by simply restarting
    the nameserver. The nameserver will send NOTIFY messages to all the slaves.
    Each slave will then send a NOTIFY answer, even if it doesn't need to perform
    a zone transfer. If a slave is not configured to mirror a zone, it will not
    send a NOTIFY answer. The NOTIFY answers are recorded by default in your
    message logs. Make sure you get a NOTIFY answer from every slave for each zone
    you master.
    
    - To make sure slaves are not configured to mirror zones you do not master,
    check your message logs for transfer requests for zones you do not master.
    
    If you are running a slave:
    
    - To make sure you are mirroring every zone you are supposed to mirror, check
    your message logs messages of the form
    
           rcvd NOTIFY for "example.com", name not one of our zones
    
    Confirm using WHOIS, dig, and contact with the master server admin that you
    are supposed to mirror the zone, and add it to your config.
    
    - To make sure you aren't configured to mirror zones from a server that
    doesn't master them, check your message logs for messages of the form
    
          [192.168.0.1] not authoritative for example.com, SOA query got...
    
    This means you're trying to do a zone transfer from a server that doesn't
    think it's authoritative for the zone.
    
    If your server is a master for some zones and a slave for others, just use an
    appropriate combination of the above techniques.
    
    The drawback to this method is that your system is sensitive to the particular
    logging format and behavior of BIND, which may change every time you upgrade.
    
    -- 
    Jefferson Ogata : Internetworker, Antibozo
    <ogataat_private>  http://www.antibozo.net/ogata/
    whois: jo317/whois.networksolutions.com
    http://www.antibozo.net/ogata/pgp.asc
    



    This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 19:49:05 PDT