Unapproved AXFR?

Lars-Johan Liman liman at sunet.se
Mon Dec 13 15:19:22 UTC 1999 

barmar at bbnplanet.com:
> Why they're trying to transfer from your server is a mystery to me.
> They could be confused, or maybe you're their default server and
> they forgot to specify a server when trying to list the domain.  If
> you want to know, find the people in charge of that machine and ask
> them.


dspigelm at acp.org:
> Thanks for the reply. It's along the lines of what I thought, but I
> couldn't really imagine that they were actually trying
> that. Bizarre!  Thanks again.


Actually, there are two obvious reasons to do that.

The first one is the one that people always jump to: someone is
trying to identify all my computers. That is not likely to be a
security leak, so why bother protecting it? (My question is more
honest than it sounds: is there really a reason to protect this?)

If the number of outgoing zone transfers is becoming a load problem on
the server, it's of course worth looking into.

The second reason to do a zone transfer from someone unknown, is to
try to solve a problem. Someone with a decent amount of DNS-clue may
have found a DNS problem the leads to your server. It might be
misconfigured, it might contain invalid data, whatever. From time to
time, a zone transfer can provide valuable information in pursuit of
such a problem, and it might actually lead to someone helping you
correct your own configuration. If they can't do the zone transfer,
they will probably say "never mind, let him have his own problems",
and your server will continue to be misconfigured.

Of the two, the first one is probably more likely in today's
Internet :-(, although I've never figured out what they do with the
information.

To the news group/mailing list:

If there is anyone out there who can give me a good and sound
technical reason for blocking zone transfers in the general case,
please let me know. I struggle with the feeling that I want to limit
them for some fuzzy security related issue that I can't pin-point, but
so far my feelings have been unable to convince my logical CPU that
there is a strong technical reason to do so, so I keep them open - for
now.

Reasons of the kind "It's generally not a good idea to give
information away." don't count. I want hard technical facts: "If you
give away zone transfers, the information can be used to do malicious
attacks of the following types, and that would be impossible without
the zone transfer".

				Sorry for interrupting your cozy
				Monday afternoon/morning :-)

				Best regards,
				  /Liman
#----------------------------------------------------------------------
# Lars-Johan Liman, Systems Specialist	! E-mail: liman at sunet.se
# KTH Network Operations Centre         ! HTTP  : //www.sunet.se/~liman
# Royal Institute of Technology, Sweden	! Voice : Int +46 8 - 790 65 60
#----------------------------------------------------------------------

More information about the bind-users mailing list