Unapproved AXFR? (technical reason)
Takács István
istvan.takacs at szerencsejatek.hu
Thu Dec 16 09:37:08 UTC 1999
Hi,
> I was bitching because I was trying to provoke
> someone to produce a more technical reason.
My technical (security) reason is to block the script kiddies to dowload
our zone files.
An example from the man of NMAP (one of the most popular scanner tool);
http://www.insecure.org/nmap/
host -l company.com | cut '-d ' -f 4 | ./nmap -v -i -
Do a DNS zone transfer to find the hosts in company.com
and then feed the IP addresses to nmap.
With this procedure the cracker can target that hosts what he/her
finds in the zone file, and the nmap is just an example from many
cracker tools what use this procedure to find the existing servers.
Maybe, the allow-query option won't holds up an advanced cracker, but
most of the script kiddies can't do anything with this and the blocked
icmp reply packets.
And the internet connections will work with the 'allow-querys' option,
too.
Regards,
Istvan
More information about the bind-users
mailing list