How to disable record listing ?

Stefan Probst stefan.probst at opticom.v-nam.net
Tue Aug 1 08:02:03 UTC 2000 

What I understand is, that they are providing all of their customers with
a public sub-domain. Therefore the *public* list of sub-domains becomes
the *private* data as the customer's list. A competitor could by this get
easily their customer list by just pulling their zone file.

Of course, the competition would know this when they see somewhere
somebody using this subdomain, but it is a much slower process to monitor
the Net for that subdomain occurences, than to just only pull the zone
file.
Since they are not operating any firewall, split zones etc., "Split DNS"
wouldn't be an option, as far as I understand.

And in this case they are right as far as I understand:
Restrict zone transfers at the master AND at all slaves, i.e. at the ISP
in this case.

Hope I am not too far off ;-)
Stefan

At 16:55 31.07.00 -0400, Kevin Darcy wrote:
-------------------------
> 
> You shouldn't have *private* data in the *public* DNS. Period. End of
> sentence.
> 
> Blocking zone transfers is a band-aid to the problem. What you really
need is
> split DNS.
> 
> 
> 
> - Kevin
> 
> Tal Dayan wrote:
> 
> > Thanks for the info.
> >
> > The motivation for the blocking is to avoid our competitors getting
our
> > customer list (each has a sub domain).
> > We asked our ISP to block the list as well.
> >
> > Tal
> >
> > > -----Original Message-----
> > > From: jim at gromit.rfc1035.com [mailto:jim at gromit.rfc1035.com]On
Behalf Of
> > > Jim Reid
> > > Sent: Friday, July 28, 2000 6:23 AM
> > > To: ted_jmt at zapta.com
> > > Cc: comp-protocols-dns-bind at moderators.isc.org
> > > Subject: Re: How to disable record listing ?
> > >
> > >
> > > >>>>> "ted" == ted jmt <ted_jmt at zapta.com> writes:
> > >
> > >     ted> When we query both servers with nslookup 'ls' command we
get
> > >     ted> the entire list of hosts in our domain (there are several
> > >     ted> hundreds of them). Is there a way to instruct Bind not to
> > >     ted> release the list and still have the ISP server backing up
our
> > >     ted> server ?
> > >
> > > The allow-transfer clause in named.conf can be used to control who
can
> > > do zone transfers. This is what the ls command of nslookup does.
[BTW,
> > > nslookup is a pathetic tool: use dig for DNS troubleshooting.]
However
> > > restricting zone transfers doesn't achieve much. For instance if you
> > > only let your ISP's name server do zone transfers of your zone(s),
> > > there's not much point unless they configure their server to do
> > > likewise. There's usually not a resource problem with zone
transfers,
> > > so limiting them "because of the load" is unlikely to be a factor.
And
> > > restricting zone transfers doesn't make anything more (or less)
> > > secure.
> > >
> > >
> > >
>

More information about the bind-users mailing list