Home arrow Site Administration arrow Page 3 - Webserver Security (Part I)

Dumping a zone using nslookup - Administration

This first article in a two-part series deals with tools to find security holes in webservers and workstations. Some of the topics covered are: port scanning, finding NFS security holes, and using lsof.

TABLE OF CONTENTS:
  1. Webserver Security (Part I)
  2. The server offers services it was not intended to
  3. Dumping a zone using nslookup
  4. Other Helpful Tools
  5. rpcinfo query to www.example.server
  6. Remote SNMP queries
By: Kristian Kohntopp
Poor Best
Rating: starstarstarstarstar / 2
April 19, 2000

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement
To get a listing of all known hosts in a domain you could run nmap scan against the complete network containing the server of interest. Alternatively you could look into the DNS and see what the server operator has published about his domain.

Using the example.server domain again: 
# nslookup
< set type=ns
< www.example.server.
Server:  ns.provider.net
Address:  10.4.3.1
example.server
origin = ns.example.server
mail addr = postmaster.ns.example.server
serial = 2000032201
refresh = 10800 (3H)
retry   = 3600 (1H)
expire  = 604800 (1W)
minimum ttl = 86400 (1D)
< server ns.example.server
Default Server:  ns.example.server
Address:  192.168.129.37
< ls example.server.
[ns.example.server]
$ORIGIN example.server.
@                       1D IN A         192.168.240.131
wwwtest                 1D IN A         192.168.240.135
news                    1D IN A         192.168.240.136
localhost               1D IN A         127.0.0.1
listserv                1D IN A         192.168.240.136
...
igate                   1D IN A         192.168.129.34
The "set type=ns" (Nameserver) command instructs nslookup to ask only for information about the nameserver of a domain. Our query for "www.example.server." will then return all nameservers for that host, in this case only a single server, "ns.example.server."

We now use the command "server ns.example.server" to direct all further queries directly to that server. With "ls example.server." we ask that particular server for a complete listing of the zone "example.server". We receive a listing of all hostnames and ip numbers published by the operator of example.server.

A better-configured BIND8 allows us to limit zone transfers to known secondary name servers. "ls" commands from arbitrary hosts will be blocked and logged. If a domain has multiple nameservers it is often worthwile to try all of them: While the primary server is often secured, the secondaries are not and will happily list the zone for you.

Security conscious network operators run their internal DNS from a different server than their Internet setup. There is no need to tell the world which machines are running in your offices and how they are named. It is completely sufficient to publish the names and addresses of your production machines.


 
 
>>> More Site Administration Articles          >>> More By Kristian Kohntopp
 

blog comments powered by Disqus
   

SITE ADMINISTRATION ARTICLES

- Coding: Not Just for Developers
- To Support or Not Support IE?
- Administration: Networking OSX and Win 7
- DotNetNuke Gets Social
- Integrating MailChimp with Joomla: Creating ...
- Integrating MailChimp with Joomla: List Mana...
- Integrating MailChimp with Joomla: Building ...
- Integrating MailChimp with Joomla
- More Top WordPress Plugins for Social Media
- Optimizing Security: SSH Public Key Authenti...
- Patches and Rejects in Software Configuratio...
- Configuring a CVS Server
- Managing Code and Teams for Cross-Platform S...
- Software Configuration Management
- Back Up a Joomla Site with Akeeba Backup
Find More Site Administration Articles

Developer Shed Affiliates

 

© 2003-2013 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap

Dev Shed Tutorial Topics: