High Zone Xfer?
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Tue Feb 20 03:59:15 UTC 2001
> On Tue, Feb 20, 2001 at 09:27:36AM +1100, Mark.Andrews at nominum.com wrote:
> > That said it gives some people a warm fuzzy feeling to block
> > zone transfers in the belief that it will significantly slow
> > down attempts to break into the site or reduce spam.
>
> Mark, could you clarify here? Are you saying features like
> "allow-transfer" are useless?
I'm not saying that allow-transfer is useless specially
when combined with allow-query. People block transfers
of reverse zones. It's easy enough to enumerate the
reverse space. As for the forward space names leak
through many sources.
If you put something in the DNS and make it available to
regular queries don't expect it to stay hidden because
you have an allow-transfer.
>
> Personally I find that if there's no reason for any machines other than
> my hosting servers to send transfers to one-another, then the transfers
> should be limited to those machines.
That's your perogative.
>
> Yes, it's a public database (more like a caching proxy, but hey...
> whatever...) but there's no need to hand people all your machine names
> in one easy-to-make query.
>
> Agreed however that most attackers simply don't care or don't use DNS,
> but I see no reason to give them the luxury in a properly designed
> architecture.
>
> --
> Nate Duehr <nate at natetech.com>
>
> GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
> Public Key available upon request, or at wwwkeys.pgp.net and others.
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list