Unapproved AXFR? (technical reason)
Andreas Holzhammer
Andreas.Holzhammer at kiosk-online.de
Thu Dec 16 09:52:19 UTC 1999
Hi!
Now this is a very good reason to block zone-transfers.
Now to my question ;-)
Is there a way to block zone-transfers based on the NS records
in the zone?
Or do I have to add "allow-transfer" statements to each and
every master-zone definition in named.conf?
The later would require some major rework on the way the
named.conf is generated here :-(
Thanx,
Andreas
> > I was bitching because I was trying to provoke
> > someone to produce a more technical reason.
>
> My technical (security) reason is to block the script kiddies to dowload
> our zone files.
>
> An example from the man of NMAP (one of the most popular scanner tool);
> http://www.insecure.org/nmap/
>
> host -l company.com | cut '-d ' -f 4 | ./nmap -v -i -
>
> Do a DNS zone transfer to find the hosts in company.com
> and then feed the IP addresses to nmap.
>
> With this procedure the cracker can target that hosts what he/her
> finds in the zone file, and the nmap is just an example from many
> cracker tools what use this procedure to find the existing servers.
>
> Maybe, the allow-query option won't holds up an advanced cracker, but
> most of the script kiddies can't do anything with this and the blocked
> icmp reply packets.
> And the internet connections will work with the 'allow-querys' option,
> too.
More information about the bind-users
mailing list