Security Incidents mailing list archives

Re: Microsoft version.binding us now?

From: t.kee () F5 COM (Tom Kee)
Date: Sat, 3 Jun 2000 00:33:30 -0700


                The purpose of the 3-DNS metrics collection software is to measure the path attributes by getting a 
reflection off the requesting end point when a load balancing option is chosen which requires such measurements.   TCP 
half open connection against the requestors port 53 has been a reliable way to garner such a reflection at the expense 
of logging an entry in the messages file.  3-DNS offers administrators several definable and configurable techniques 
which may be used to get a reflection for the purpose of measuring  a round trip time.

      One such methods is to query the DNS server for its "version.bind". Using version.bind involves a minimal 
amount of effort for BIND to look up the entry in its' memory tables (for those who wish to refer to the details,  
look through lines 957-980 in ns_req.c against bind8.2.2pl5 where you'll see that the DNS query is examined for the 
type TXT, class CHAOS and name "version.bind"). The actual version of BIND returned to a 3-DNS is not examined nor 
presented to the administrator and no further action is taken. The only importance of this query is the  value 
collected for  the round trip time. Here somethings you can do.

      To change the version string that is returned by a DNS server, in named.conf add

      options {
         version "FooBar";
      };

      To out-right block all replies, in named.conf add

      zone "bind" CHAOS {
              type master;
              file "db.bind";
              allow-query { none; };
      };


      and the actual zone file db.bind

      @       86400   CHAOS   SOA     dns hostmaster.dns.foo.com. (
                      9 28800 7200 604800 86400 )
              86400   CHAOS   NS      dns
      version 86400   CHAOS   TXT     "Anything"



      The allow-query { none; }; will ensure that no response is returned.

            This   method of round trip time calculation is not pre-configured or a default. Each metrics collection 
method has a       specific timing interval that can be tuned by the administrator to any degree.

                3-DNS does not and will never go beyond the point of it's goal -- to reliably measure network 
performance.

                Regards,

                Tom Kee
                Product Development Manager, 3-DNS
                F5 Networks, Inc.

Current thread:

Re: FW-1 log analysis tool, (continued)
- - - Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
    - port 12345 scanning Luke Dudney (Jun 11)
    - Protocol 54 M J (Jun 07)
    - Re: very strange scan patterns Ejovi Nuwere (Jun 07)
    - hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
    - Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
    - UDP Port 2078 Dundo (Jun 08)
    - New KAK worm distribution out Roy Wilson (Jun 08)
    - Re: hacked @home with logs and info.. Randy Mclean (Jun 09)
  - port 65535 and protocol 171 !? Jürgen Bauer (Jun 05)
- Re: Microsoft version.binding us now? Tom Kee (Jun 03)
- Re: Microsoft version.binding us now? Richard Bejtlich (Jun 22)
- Re: Microsoft version.binding us now? Oliver Friedrichs (Jun 23)
  - Re: Microsoft version.binding us now? Bill Marquette (Jun 24)
    - Re: Microsoft version.binding us now? John Hall (Jun 27)
- Re: Microsoft version.binding us now? Rune Kristian Viken (Jun 28)