Bind_query

Tue, 19 Dec 2006 14:01:42 -0800 

Plugin 10539 reported a DNS server as allowing recursive queries.  I
tried to verify this with:

========================================================
[EMAIL PROTECTED] dig  @dns.server.com www.nessus.org

; <<>> DiG 9.3.1 <<>> -t A @dns.server.com www.nessus.org ; (1 server
found) ;; global options:  printcmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9908 ;; flags: qr
rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.nessus.org.          IN      A

=======================================================

The status is 'SERVFAIL' but the 'ra' (recursion available) bit is set
as well 


>From reading the plugin:

.....
send(socket:soc, data:req);
r  = recv(socket:soc, length:4096);
close(soc);
if ( ! r ) exit(0);

pk = dns_split(r);

if ( (pk["flags"] & 0x8085) == 0x8080 )
 security_warning(port:53, proto:"udp"); 
......



It looks like nessus is relying on the 'ra' bit to determine if
recursion is available...correct?


If this is the case, why does it report this since the response (from
below) is 0x8082?


Also, when the script builds the query, it apparently sets the DNS flags
to "dns["flags"] = 0x0100;", but from the packet capture you see that
the query is actually 0x0000.  Is this correct?




15:14:05.688382 IP src.host.com.46385 > dns.server.domain:  139 A?
www.nessus.org. (32)
        0x0000:  0030 9458 4730 0004 758e 8ebe 0800 4500
.0.XG0..u.....E.
        0x0010:  003c 99e4 4000 4011 73b4 xxxx xxxx xxxx
.<[EMAIL PROTECTED]@.s.......
        0x0020:  xxxx b531 0035 0028 45aa 008b 0000 0001
...1.5.(E.......
        0x0030:  0000 0000 0000 0e77 7777 2e6e 6573 7375
.......www.nessu
        0x0040:  732e 6f72 6700 0001 0001                 s.org.....

15:14:05.745973 IP dns.server.domain > src.host.com.46385:  139 ServFail
0/0/0 (32)
        0x0000:  0004 758e 8ebe 0030 9458 4730 0800 4500
..u....0.XG0..E.
        0x0010:  003c 0000 4000 3211 1b99 xxxx xxxx xxxx
.<[EMAIL PROTECTED]
        0x0020:  xxxx 0035 b531 0028 c527 008b 8082 0001
...5.1.(.'......
        0x0030:  0000 0000 0000 0e77 7777 2e6e 6573 7375
.......www.nessu
        0x0040:  732e 6f72 6700 0001 0001                 s.org.....



Scott Pate
Security Consultant



_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus

Reply via email to