NSLOOKUP - ls -d reveals SOA record... ?

[James Raftery]

On Thu, Jan 18, 2001 at 05:09:50AM +0000, Ron Treleaven wrote:
> If I run nslookup against my domain and set q=SOA and the "ls -d domain.com"
> command, the result reveals my SOA info... which might not be a good
> thing...    How would I best disable or limit a database query?

Hi Ron,

Firstly, an SOA record is just another resource record type, along with
NS, A, MX and so on. Anybody can query for it. That's the way things are
meant to work.

However, I think you might be looking for a way to control who can get a
full copy of the entire zone in one go -- a 'zone transfer'. Use the
'allow-transfer' option in your configuration file. You can supply a
list of IP addresses from which zone tranfers will be honoured. The list
can be set for all zones on your server in the 'options{}' clause, or on
a zone-by-zone basis by adding an individually tailored 'allow-transfer'
to each 'zone{}' clause.

Don't forget to add 'allow-transfer' statements to the configuration of
your secondary nameservers too.


james
-- 
James Raftery (JBR54)
  "Managing 4000 customer domains with BIND has been a lot like
   herding cats." - Mike Batchelor, on dns at list.cr.yp.to.