Home / server / Questions / 509364
Accepted
Andrew B
Asked: 2013-05-21 11:58:00 +0800 CST

What is the structure of zones synthesized by BIND's empty-zones-enable feature?

  • 772

BIND 9.4.1 implemented automatic empty reverse zones for private address space in order to prevent reverse DNS leakage. This saves an administrator the trouble of having to define these empty zones, and reduces the number of "out of the box" configurations that will leak reverse DNS lookups to IANA's blackholing servers.

What is the default format of the synthesized replies from an automatic empty reverse zone? The format isn't completely described within the documentation. (just the defaults of a few options)

domain-name-system

1 Answers

  1. Best Answer

    If the default options for empty zones have not been adjusted, an ANY query should return the following:

    # dig @localhost 254.169.IN-ADDR.ARPA ANY

; <<>> DiG 9.8.4-P2 <<>> @localhost 254.169.IN-ADDR.ARPA ANY
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9411
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;254.169.IN-ADDR.ARPA.          IN      ANY

;; ANSWER SECTION:
254.169.IN-ADDR.ARPA.   86400   IN      SOA     254.169.IN-ADDR.ARPA. . 0 28800 7200 604800 86400
254.169.IN-ADDR.ARPA.   0       IN      NS      254.169.IN-ADDR.ARPA.

;; AUTHORITY SECTION:
254.169.IN-ADDR.ARPA.   86400   IN      SOA     254.169.IN-ADDR.ARPA. . 0 28800 7200 604800 86400
    • Note that the Authoritative Answer (aa) flag is set. No recursion.
    • The NS record points to the apex of the zone, which has no A record.
    • There is no glue associated with the NS record.
    • The MNAME SOA field (master server) is identical to the name of the empty zone. This behavior is changed by the empty-server option.
    • The RNAME SOA field (contact) contains a single dot (.). This behavior is changed by the empty-contact option.
    • Requests for records below the top of the zone will return NXDOMAIN.

    Based on the above, the most reliable way to fingerprint a synthesized empty zone is to look for the aa flag, and check to see whether the NS record points to a zone apex with a missing A record. Keep in mind that you can't check for a NXDOMAIN response because other record types are present with the same name; you'll get a NOERROR response with no ANSWER section when requesting the A record.

    It's usually safe to assume that responses with "official" looking SOA fields (MNAME of prisoner.iana.org., RNAME of hostmaster.root-servers.org.) have leaked up to the root nameservers, but depending on the scans you're running inside your network this may not always be sufficient.

    • 1