Unapproved AXFR? (technical reason)

Andreas Holzhammer Andreas.Holzhammer at kiosk-online.de
Thu Dec 16 09:52:19 UTC 1999


Hi!

Now this is a very good reason to block zone-transfers.

Now to my question ;-)

Is there a way to block zone-transfers based on the NS records
in the zone?
Or do I have to add "allow-transfer" statements to each and 
every master-zone definition in named.conf?

The later would require some major rework on the way the
named.conf is generated here :-(

Thanx,

   Andreas

 
> > I was bitching because I was trying to provoke
> > someone to produce a more technical reason.
> 
> My technical (security) reason is to block the script kiddies to dowload
> our zone files.
> 
> An example from the man of NMAP (one of the most popular scanner tool);
> http://www.insecure.org/nmap/
> 
>        host -l company.com | cut '-d ' -f 4 | ./nmap -v -i -
> 
>        Do a DNS zone transfer to find the  hosts  in  company.com
>        and  then  feed  the IP addresses to nmap.
> 
> With this procedure the cracker can target that hosts what he/her
> finds in the zone file, and the nmap is just an example from many
> cracker tools what use this procedure to find the existing servers.
> 
> Maybe, the allow-query option won't holds up an advanced cracker, but
> most of the script kiddies can't do anything with this and the blocked
> icmp reply packets.
> And the internet connections will work with the 'allow-querys' option,
> too.


More information about the bind-users mailing list