Security Incidents mailing list archives
Re: Microsoft version.binding us now?
From: t.kee () F5 COM (Tom Kee)
Date: Sat, 3 Jun 2000 00:33:30 -0700
The purpose of the 3-DNS metrics collection software is to measure the path attributes by getting a reflection off the requesting end point when a load balancing option is chosen which requires such measurements. TCP half open connection against the requestors port 53 has been a reliable way to garner such a reflection at the expense of logging an entry in the messages file. 3-DNS offers administrators several definable and configurable techniques which may be used to get a reflection for the purpose of measuring a round trip time.
One such methods is to query the DNS server for its "version.bind". Using version.bind involves a minimal amount of effort for BIND to look up the entry in its' memory tables (for those who wish to refer to the details, look through lines 957-980 in ns_req.c against bind8.2.2pl5 where you'll see that the DNS query is examined for the type TXT, class CHAOS and name "version.bind"). The actual version of BIND returned to a 3-DNS is not examined nor presented to the administrator and no further action is taken. The only importance of this query is the value collected for the round trip time. Here somethings you can do. To change the version string that is returned by a DNS server, in named.conf add options { version "FooBar"; }; To out-right block all replies, in named.conf add zone "bind" CHAOS { type master; file "db.bind"; allow-query { none; }; }; and the actual zone file db.bind @ 86400 CHAOS SOA dns hostmaster.dns.foo.com. ( 9 28800 7200 604800 86400 ) 86400 CHAOS NS dns version 86400 CHAOS TXT "Anything" The allow-query { none; }; will ensure that no response is returned.
This method of round trip time calculation is not pre-configured or a default. Each metrics collection method has a specific timing interval that can be tuned by the administrator to any degree. 3-DNS does not and will never go beyond the point of it's goal -- to reliably measure network performance. Regards, Tom Kee Product Development Manager, 3-DNS F5 Networks, Inc.
Current thread:
- Re: FW-1 log analysis tool, (continued)
- Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
- port 12345 scanning Luke Dudney (Jun 11)
- Protocol 54 M J (Jun 07)
- Re: very strange scan patterns Ejovi Nuwere (Jun 07)
- hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
- Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
- UDP Port 2078 Dundo (Jun 08)
- New KAK worm distribution out Roy Wilson (Jun 08)
- Re: hacked @home with logs and info.. Randy Mclean (Jun 09)
- port 65535 and protocol 171 !? Jürgen Bauer (Jun 05)
- Re: Microsoft version.binding us now? Tom Kee (Jun 03)
- Re: Microsoft version.binding us now? Richard Bejtlich (Jun 22)
- Re: Microsoft version.binding us now? Oliver Friedrichs (Jun 23)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 24)
- Re: Microsoft version.binding us now? John Hall (Jun 27)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 24)
- Re: Microsoft version.binding us now? Rune Kristian Viken (Jun 28)