2007-05-31 14:19:44
By Tim Brown
By default, Microsoft's DNS server will return SOA records for three zones, the usual suspect 127.in-addr.arpa but also 255.in-addr.arpa and 0.in-addr.arpa. Whilst this is recommended in RFC 1912, it's rare to find non-Microsoft DNS servers that respond to queries for the the 0.in-addr.arpa and 255.in-addr.arpa zones. Indeed, even the root servers appear to reject such requests. Therefore this information can be used in fingerprinting them. But wait there's more, reading a little more on the subject indicates that by default these zones are automatically created by the DNS server unless the DisableAutoReverseZones registry key is set. That doesn't sound to bad, but consider the following:
; <<>> DiG 9.3.2 <<>> @ns1.msft.net soa microsoft.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13503 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;microsoft.com. IN SOA ;; ANSWER SECTION: microsoft.com. 3600 IN SOA dns.cp.msft.net. msnhst.microsoft.com. 2007053101 300 600 2419200 3600 ;; ADDITIONAL SECTION: dns.cp.msft.net. 3600 IN A 207.46.138.10 ;; Query time: 42 msec ;; SERVER: 207.68.160.190#53(207.68.160.190) ;; WHEN: Thu May 31 13:52:08 2007 ;; MSG SIZE rcvd: 105
As opposed to:
; <<>> DiG 9.3.2 <<>> @ns1.msft.net soa 0.in-addr.arpa ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16084 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;0.in-addr.arpa. IN SOA ;; ANSWER SECTION: 0.in-addr.arpa. 3600 IN SOA tk2ipsdnsa12.phx.gbl. hostmaster.phx.gbl. 1 900 600 86400 3600 ;; Query time: 40 msec ;; SERVER: 207.68.160.190#53(207.68.160.190) ;; WHEN: Thu May 31 13:45:26 2007 ;; MSG SIZE rcvd: 99
Notice the difference? :) Same server, different authoritative host names. Guess that setting I mentioned earlier is kinda useful, particularly on internet facing servers.
Mood: Amused
Music: random()
You are unknown, comment