Can/Should I allow zone transfers(?) in BIND?
Kevin Darcy
kcd at daimlerchrysler.com
Fri Jun 8 01:08:16 UTC 2001
kenny at panix.com wrote:
> In article <9fortj$9l9 at pub3.rc.vix.com>,
> Kevin Darcy <kcd at daimlerchrysler.com> says:
>
> >Why would a nameserver ask you for a zone transfer just because you asked
> >*it* about a name? How would it even know what zone to ask for?
>
> Oh- I figured it goes something along the lines of the other NS asking "BTW-
> do you serve any domains?" and since I don't have any "notify no" lines in
> my caching setup (well, didn't before today, anyway), my NS thinks I do (I
> am master for the .localdomain domain and 127.in-addr.arpa domains, right?)
> and tries to "serve" them (as should be plainly obvious by now, I only have a
> passing knowledge of "bind"'s operation).
No, that's not how it works. First of all, there's no way to query "what domains
do you serve?" directly. Secondly, "notify no" just means the master won't tell
its slaves when the zone changes; it doesn't have any direct effect on ordinary
queries or even zone transfers.
> >> - I notice SYN's not set- so does this mean I've initiated this?
>
> >The SYN-bit would be set regardless of who initiated the TCP connection.
> >The absence of SYN from the logs indicates some sort of logging quirk.
>
> Nah, I don't capture or log outgoing data- the only reason these were
> logged is 'cause I don't let in TCP to a dest port < 1024 except for very
> few exceptions.
>
> SYN is set on the origination, but not on any replies, right?
During connection setup you should see the SYN bit set in packets going in both
directions ("SYN... SYN-ACK... ACK", the mating call of the Internet). That's why
I said it's a logging quirk -- no matter who is establishing the connection, you
should see the SYN bit set. Once the connection is established, then the packets
going back and forth won't have the SYN bit set. Is it possible that this was a
long-running TCP connection and ipchains only logged some of it?
> That's what
> led me to think my machine had originated these. I get 'em in bursts of
> 10-20 disparate hosts from all over, every couple of days or so, and I
> wondered if I was blocking legit BIND traffic.
TCP queries are legitimate, even aside from zone transfers. If a reply isn't big
enough to fit in a UDP packet, then a resolver may retry the query using TCP. So
you shouldn't be blocking TCP blindly. If you want to control who can do zone
transfers from your server, use the "allow-query" mechanism in named.conf.
- Kevin
More information about the bind-users
mailing list