How common is blocking tcp port 53 to prevent unauthorized zone transfers?
Kevin Darcy
kcd at daimlerchrysler.com
Thu Oct 26 20:36:59 UTC 2000
I'm not sure how common it is, but I'd hope it would be non-existent. Zone
transfers should be blocked -- if at all -- on the nameserver, which,
unlike stupid router or firewall filters, can distinguish between a zone
transfer request and a regular TCP query because, yes, you *should* worry
about queries/responses greater than 512 bytes. If you ever want to enable
IXFR, you should be aware that the IXFR spec permits the use of UDP. Your
dumb filters wouldn't be able to block those zone transfers, so you'd
*still* have to configure transfer restrictions in your nameserver.
- Kevin
David Hines wrote:
> How commonly is this approach used to limit zone transfers, and should I
> worry about it with respect to queries/responses greater than 512 bytes?
More information about the bind-users
mailing list