How DNS works

["Craig Wright" <cwright () bdosyd com au>]

Hello,

To alleviate some ignorance regarding the DNS process and public servers. 

 

1          DNS

DNS Servers are public if they are a part of the public domain hierarchy. This is NOT that they are on the Internet. 
This is NOT if anyone can connect to port 53 and use them.

 

DNS Servers are public if and ONLY if they have become an authorised part of the DNS infrastructure.

 

This is a contractual agreement. To connect a DNS Server to the hierarchy it needs to serve a domain. To do this the 
higher level domain server and your domain system have an agreement – a contract (and please contracts are not required 
to be written) which exists with implied rights and restraints as dictated by the Internet community and the standards 
associated with use and the various domain bodies.

 

How this works;

 

Say I want to register              ignorant.com

 

I have to go to a register and apply to register the domain (in this case with a .com authority). There are terms in 
the contract which is formed.

 

Thus the name servers which are listed in the application and thus in the DNS hierarchy are public.

 

If I stick a server -ex               ignorant.private

On the internet for the use of the Internal network, than this is PRIVATE. If it is secure of not has NO relevance to 
the status of being public or private – this is a separate issue.

 

2          Google and robots.txt

Web servers are placed on the Internet for a public function UNLESS there is a mechanism to control or restrict access 
(a password for example). Private servers do not need to be secure, but there needs to be “some” attempt to restrict 
access (VERY lame attempts included)

 

There is an applied contractual agreement for public use of the site made by the act of placing the data as a public 
site. This is dictated by the standards associated with the protocol. – see RFC’s and standards for details.

 

“robots.txt” is a valid part of the standard.

 

Google does not scan the internet for IP addresses that have port 80 open. It does not scan to see if web servers are 
available on other ports. It links from other sites. This is the purpose of the web. 

 

Regards

Craig

        -----Original Message----- 
        From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] 
        Sent: Fri 31/03/2006 10:15 AM 
        To: security-basics () securityfocus com 
        Cc: 
        Subject: Re: application for an employment
        
        

        On 2006-03-30 David Gillett wrote:
        > Thursday, March 30, 2006 10:35 AM, Ansgar -59cobalt- Wiechers wrote:
        >> On 2006-03-30 David Gillett wrote:
        >>>   Suppose you want to send me an email.  By your argument, your only
        >>> option is to scan our whole address block(s!) looking for machines
        >>> that will answer on port 25.
        >>>   Bzzzt!  WRONG!  Do a DNS lookup for the MX records for our domain.
        >>
        >> So, how do I do a DNS lookup without somehow accessing port 53/udp of
        >> a DNS server that I do not own? How do I get permission to do that?
        >
        >   You don't.  You send your DNS query to a server you *do* have
        > permission to access, and it queries servers that *it* has permission
        > to, and so on. By registering our domain, we've given the root servers
        > permission to refer queries *about our domain* to the servers we've
        > registered.
        
        You're contradicting yourself. A root server may refer my query to your
        server, but it's still my server connecting to your server to do the
        actual query, thus it must somehow have gotten your permission. Besides,
        how do I get permission to access the root servers or any other upstream
        DNS server not owned by myself?
        
        >>>   Suppose you want to register online to take courses here.  By your
        >>> argument, your only option is to scan our address space for hosts
        >>> that answer on ports 80 and 443.
        >>>   Bzzzt!  WRONG!  Point your browser at the college homepage (you
        >>> could Google for it) and follow the links to "Registration".
        >>
        >> So, how does Google get the address of your webserver? Or permission
        >> to access/index it? How do I get permission to access Google? And how
        >> does a listing of $something in Google give me the permission to
        >> access it?
        >
        >   AFAIK, Google still supports a mechanism for telling them about
        > specific pages to be indexed.  And their spider plays by the
        > robots.txt rules, which your port scanner probably does not.
        
        That doesn't answer the questions. To read a robots.txt the spider must
        already have connected to your server. How does Google get permission to
        do that? And how do I get permission to access Google?
        
        


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.