Fork me on GitHub
Its the Code garbage collector. Mind dumps of daily coding antics from a frustrated silly little man. VBS, PHP, TCL, TK, PERL, C++, JAVA....what now? Ruby?
No Wait.. It should be just RUBY!

20080728

DNS version attempts & tools

There has been some DNS junk flying around again.. so refresh.

Dont forget how easy it is to do a DNS version attempt.

dig @ns.example.com -c CH -t txt version.bind


Make sure your BIND/Named is obfuscated/disabled with custom message..


options
{
version "Generic DNS Server";
}


Not that it helps much with fpdns around.

anonymous@:~$ fpdns -D google.com
fingerprint (google.com, 216.239.34.10): ISC BIND 8.3.0-RC1 -- 8.4.4
fingerprint (google.com, 216.239.36.10): ISC BIND 8.3.0-RC1 -- 8.4.4

Perl: (Fingerprint.PM)


Make sure your read basic DNS information like

Cisco's: DNS Best Practices, Network Protections, and Attack Identification

And understand the principles laid out in Secure BIND configurations such as:
http://www.cymru.com/Documents/secure-bind-template.html

Look into DNS Debug tools such as DNSwalk, dlint, & DOC

And for reverse lookups use where there is no PTR record try A record caches like:
Passive DNS Replication @
http://cert.uni-stuttgart.de/stats/dns-replication.php

1 comment:

Benjamin said...

Indeed. Unless things have changed a DNS version attempt doesn't have a legitimate use, other than for probing. Seeing a DNS version attempt fire on an IDS is a pretty clear indicator you're being probed. Snort comes with sigs to catch both DNS version and author attempts.