If it's a slave one way to force tests to it might be to temporarily
stop named on the primary so queries have to use the slave.

-----Original Message-----
From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On
Behalf Of Kevin Darcy
Sent: Tuesday, August 12, 2008 12:51 AM
To: bind-users@isc.org
Subject: Re: testing vulnerability against secondary NS

Chris Henderson wrote:
> I am testing the recent DNS vulnerability against my secondary name

server
> from my local machine
> ("dig @ +short porttest.dns-oarc.net TXT" and also
> "nslookup -querytype=TXT -timeout=10 porttest.dns-oarc.net.")
>
> But strangely it is giving me the result of my primary name server!

Every time
> I try to query, it gives me back my primary name server's result. I

also tried
> doxpara.com and https://www.dns-oarc.net/oarc/services/dnsentropy
>
> My local machine's /etc/resolv.conf has only one nameserver entry - my
> secondary name server.
>
> Also, if I try to resolve a hostname I can query my secondary name

server and
> get the answer back. So I know my secondary name server is working.
>
> Does anyone know how can I test the vuln. against my secondary name

server?
>
>

Well, what's the config of your so-called "secondary nameserver"?

Does it just forward to the "primary"?

If so, then that's where the queries will be seen to originate, by the
vulnerability-testing tools.

Another possibility is that you have a NAPT device multiplexing both
your "primary" and "secondary" nameservers into single address. Since it

would need to use different port numbers to accomplish this, the exact
implementation/configuration details of the NAPT would have an effect on

whether you get a "good" or "ok" result from the vulnerability-testing
tools.



- Kevin
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------