Re: [PEN-TEST] DNS testing tool

[Simon Waters <Simon () wretched demon co uk>]

Laura Nuñez wrote:
> Hi all,
>         I am trying to find any tool to pen test a DNS server, or
> documentation about best practices to set it up.
>         I have this, by the moment
>                 - Disable Zone Transfers
>                 - Assign reverse DNS to only those host that require it
>                 - Split DNS for internal hosts
>                 - Apply fixes, version upgrades to avoid known
> vulnerabilities
>                 - Don't include additional info records,
>
>         Thare is something else i should account? Or tools to check this
> automatically? I have been using SamSpade for Zone Transfers.

There is a DNS audit document floating somewhere on the Internet -
e-mail me if you don't find anything promising.

I'm about to review DNS Expert from Mice and Men - no idea yet but it
gets good reviews - some security stuff is hard to automate as it
implies you need to have both valid and invalid IP - nslookup can do
zone transfers so no need to install extra software everywhere.

Delegation problems are one of the most common - affects resistance to
DoS if your delegation is iffy, inappropriate use of CNAME's,
inconsistent SOA's, BIND version is returned (for the paranoid),
inappropriate use of DDNS.

I keep adding stuff to my list of things to check for my DNS audits....

        Simon
--
Want to learn about Linux? Get it installed?
Devon and Cornwall LUG Event for UK Linux Day
Exeter University - Sunday April 29th 2001 10:00 to 17:00
www.linuxday.org.uk or join D&C LUG www.lug.termisoc.org