How to disable record listing ?

Jim Reid jim at rfc1035.com
Tue Aug 1 09:54:08 UTC 2000


>>>>> "Stefan" == Stefan Probst <stefan.probst at opticom.v-nam.net> writes:

    Stefan> Since they are not operating any firewall, split zones etc.,
    Stefan> "Split DNS" wouldn't be an option, as far as I understand.

It's not necessary to run a firewall to implement split DNS. The two
things tend to go together as part of a security policy though.

    Stefan> And in this case they are right as far as I understand:
    Stefan> Restrict zone transfers at the master AND at all slaves,
    Stefan> i.e. at the ISP in this case.

Nope. Restricting zone transfers does not in any way whatsoever
conceal that sensitive information. All it does is prevent some IP
addresses from performing a zone transfer and getting all that
sensitive customer data in one DNS request. That data will still be in
the DNS and can still be looked up. Suppose someone broke in to the
name servers? Or how about if a bad guy issues the AXFR request from a
"trusted" IP address? Or what if they just made educated guesses about
the customer names that were in that zone?

A good example to consider here is the .com zone. Zone transfers are
denied to prevent spammers and because of the sheer size of the
zone. [Transferring this zone is non-trivial and presents serious
resourcing problems.] This doesn't prevent anyone from making queries
to the .com name servers to find out if names like sony.com or
corner-shop-widget-company.com are present.



More information about the bind-users mailing list