Discussion:
dns test question
Berkley, Simeon
2014-07-16 19:02:06 UTC
Permalink
I'm trying to check to make sure that we can do zone transfers of '
example.com' from 'dnsserver.com'. I've put 'dns=AXFR:example.com' in the
hosts.cfg line for 'dnsserver.com'. For a status I'm getting:

...

*** DNS lookup of 'AXFR:example.com' ***
Server could not understand query
id: 52793
flags: qr rd
opcode: QUERY
rcode: FORMERR
Questions:
example.com . AXFR
Answers:
NS records:
Additional records:

Seconds: 0.121

...

Is this known to be broken (I see references to AXFR in dns2.c), or am I
doing it wrong? I searched the archives for 'axfr' and came up with no
results too, which seems odd.

Thanks in advance,

--
Simeon Berkley
<sberkley-PJ0AXoNO1V1zF9A/***@public.gmane.org>
Jeremy Laidman
2014-07-16 23:21:53 UTC
Permalink
Simeon

AXFR is not a valid query type for udp packets.

I have the following in my protocols.cfg:

# Zone transfer TCP/53 check
[axfr]
# Zone transfer test
#
# If you adjust the zone name "xymon-test", you must also
# adjust the preceeding two bytes (\0x00\0x0a=10 decimal) to
# match the length of the zone and also adjust the 2nd byte
# (0x1c=28 decimal) to be the zone name length
# plus 18 (or the size of the whole send string minus 2).
#
# The third and fourth bytes (both 0xff) are simply the DNS query
# ID, and will be the same in the response.
#
# We expect a response exactly the same but with "0x80 0x89" just
after
# the ID for a "NOTAUTH" (RCODE=9) response.
#
# The zone to be queried must be such that it fails (either
# a forward zone or a non-existent zone, giving NOTAUTH to dig),
# otherwise the response length will be different and we won't be
# able to match it in our expect string.
#
# If you want to query a valid domain, don't use send/expect at all.
# because the first two bytes in the response can't be reliably
# predicted.

port 53
send
"\x00\x1c\xff\xff\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0axymon-test\x00\x00\xfc\x00\x01"
expect
"\x00\x1c\xff\xff\x80\x89\x00\x01\x00\x00\x00\x00\x00\x00\x0axymon-test\x00\x00\xfc\x00\x01"

# Zone transfer TCP/53 check
[axfr2]
# like axfr, but with RCODE=5 instead of 9
port 53
send
"\x00\x1c\xff\xff\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0axymon-test\x00\x00\xfc\x00\x01"
expect
"\x00\x1c\xff\xff\x80\x85\x00\x01\x00\x00\x00\x00\x00\x00\x0axymon-test\x00\x00\xfc\x00\x01"

Then just add axfr or axfr2 (depending on what the server responds with) to
hosts.cfg. RCODE 5 means "refused", RCODE 9 means "not authoritative".
Servers that restrict AXFR will return 5.

I know it's not exactly what you're looking for but it might be a place to
start.

J
Post by Berkley, Simeon
I'm trying to check to make sure that we can do zone transfers of '
example.com' from 'dnsserver.com'. I've put 'dns=AXFR:example.com' in the
...
*** DNS lookup of 'AXFR:example.com' ***
Server could not understand query
id: 52793
flags: qr rd
opcode: QUERY
rcode: FORMERR
example.com . AXFR
Seconds: 0.121
...
Is this known to be broken (I see references to AXFR in dns2.c), or am I
doing it wrong? I searched the archives for 'axfr' and came up with no
results too, which seems odd.
Thanks in advance,
--
Simeon Berkley
_______________________________________________
Xymon mailing list
http://lists.xymon.com/mailman/listinfo/xymon
Berkley, Simeon
2014-07-17 11:53:50 UTC
Permalink
Looks like the folks who made this request have changed their minds on
how/what they want to monitor, but this will likely come in handy in the
future (if not for us, for someone else searching the list). Thank you very
much!


--
Simeon Berkley
Post by Berkley, Simeon
Simeon
AXFR is not a valid query type for udp packets.
# Zone transfer TCP/53 check
[axfr]
# Zone transfer test
#
# If you adjust the zone name "xymon-test", you must also
# adjust the preceeding two bytes (\0x00\0x0a=10 decimal) to
# match the length of the zone and also adjust the 2nd byte
# (0x1c=28 decimal) to be the zone name length
# plus 18 (or the size of the whole send string minus 2).
#
# The third and fourth bytes (both 0xff) are simply the DNS query
# ID, and will be the same in the response.
#
# We expect a response exactly the same but with "0x80 0x89" just
after
# the ID for a "NOTAUTH" (RCODE=9) response.
#
# The zone to be queried must be such that it fails (either
# a forward zone or a non-existent zone, giving NOTAUTH to dig),
# otherwise the response length will be different and we won't be
# able to match it in our expect string.
#
# If you want to query a valid domain, don't use send/expect at all.
# because the first two bytes in the response can't be reliably
# predicted.
port 53
send
"\x00\x1c\xff\xff\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0axymon-test\x00\x00\xfc\x00\x01"
expect
"\x00\x1c\xff\xff\x80\x89\x00\x01\x00\x00\x00\x00\x00\x00\x0axymon-test\x00\x00\xfc\x00\x01"
# Zone transfer TCP/53 check
[axfr2]
# like axfr, but with RCODE=5 instead of 9
port 53
send
"\x00\x1c\xff\xff\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0axymon-test\x00\x00\xfc\x00\x01"
expect
"\x00\x1c\xff\xff\x80\x85\x00\x01\x00\x00\x00\x00\x00\x00\x0axymon-test\x00\x00\xfc\x00\x01"
Then just add axfr or axfr2 (depending on what the server responds with)
to hosts.cfg. RCODE 5 means "refused", RCODE 9 means "not authoritative".
Servers that restrict AXFR will return 5.
I know it's not exactly what you're looking for but it might be a place to
start.
J
On 17/07/2014 5:30 AM, "Berkley, Simeon" <
Post by Berkley, Simeon
I'm trying to check to make sure that we can do zone transfers of '
example.com' from 'dnsserver.com'. I've put 'dns=AXFR:example.com' in
...
*** DNS lookup of 'AXFR:example.com' ***
Server could not understand query
id: 52793
flags: qr rd
opcode: QUERY
rcode: FORMERR
example.com . AXFR
Seconds: 0.121
...
Is this known to be broken (I see references to AXFR in dns2.c), or am I
doing it wrong? I searched the archives for 'axfr' and came up with no
results too, which seems odd.
Thanks in advance,
--
Simeon Berkley
_______________________________________________
Xymon mailing list
http://lists.xymon.com/mailman/listinfo/xymon
Loading...