If it's a slave one way to force tests to it might be to temporarily stop named on the primary so queries have to use the slave.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Darcy Sent: Tuesday, August 12, 2008 12:51 AM To: [email protected] Subject: Re: testing vulnerability against secondary NS Chris Henderson wrote: > I am testing the recent DNS vulnerability against my secondary name server > from my local machine > ("dig @<ip_of_nameserver> +short porttest.dns-oarc.net TXT" and also > "nslookup -querytype=TXT -timeout=10 porttest.dns-oarc.net.") > > But strangely it is giving me the result of my primary name server! Every time > I try to query, it gives me back my primary name server's result. I also tried > doxpara.com and https://www.dns-oarc.net/oarc/services/dnsentropy > > My local machine's /etc/resolv.conf has only one nameserver entry - my > secondary name server. > > Also, if I try to resolve a hostname I can query my secondary name server and > get the answer back. So I know my secondary name server is working. > > Does anyone know how can I test the vuln. against my secondary name server? > > Well, what's the config of your so-called "secondary nameserver"? Does it just forward to the "primary"? If so, then that's where the queries will be seen to originate, by the vulnerability-testing tools. Another possibility is that you have a NAPT device multiplexing both your "primary" and "secondary" nameservers into single address. Since it would need to use different port numbers to accomplish this, the exact implementation/configuration details of the NAPT would have an effect on whether you get a "good" or "ok" result from the vulnerability-testing tools. - Kevin ---------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ----------------------------------
