Unapproved AXFR? (technical reason)

Takács István istvan.takacs at szerencsejatek.hu
Thu Dec 16 09:37:08 UTC 1999


Hi,

> I was bitching because I was trying to provoke 
> someone to produce a more technical reason.

My technical (security) reason is to block the script kiddies to dowload
our zone files.

An example from the man of NMAP (one of the most popular scanner tool);
http://www.insecure.org/nmap/

       host -l company.com | cut '-d ' -f 4 | ./nmap -v -i -

       Do a DNS zone transfer to find the  hosts  in  company.com
       and  then  feed  the IP addresses to nmap.

With this procedure the cracker can target that hosts what he/her
finds in the zone file, and the nmap is just an example from many 
cracker tools what use this procedure to find the existing servers.

Maybe, the allow-query option won't holds up an advanced cracker, but 
most of the script kiddies can't do anything with this and the blocked
icmp reply packets.
And the internet connections will work with the 'allow-querys' option,
too.

Regards,

		Istvan


More information about the bind-users mailing list