Our ISP says they can't restrict zone transfers

Kevin Darcy kcd at chrysler.com
Thu Apr 10 23:22:27 UTC 2008 

William Bell wrote:
> Hi,
> First, it¹s been a few years since I maintained BIND servers, so please
> forgive my rustiness.  :)
> I couldn¹t¹ find an answer to this particular question in the archives, soŠ
> What valid reason would any ISP or DNS hosting company have for NOT
> restricting zone transfers to valid nameservers, IP¹s, hosts, etc?
>
> Also, a ³zone transfer² and an AXFR request are the same thing aren¹t they?
>
> Why I¹m asking this question:
> We recently determined that our ISP/DNS host  (Time Warner Telecom) allows
> zone transfers for our domains from anywhere on the internet (as far as we
> can tell).  So I called and asked them to restrict zone transfers for our
> domains to their own DNS servers and to our internet IP blocks.  Sounds like
> a simple ³allow-transfer² directive in our zone file, right?  Not according
> to the TW rep I spoke to.  They told me that, since they were the
> authoritative DNS servers for our domains, if they restricted zone transfers
> as I requested, then no one would be able to access our DNS and thus no one
> would be able to access our servers from the internet.  Okay, it¹s been 4 or
> 5 years since I¹ve done any DNS work, but this response struck me as a bit
> strange.  I began to suspect that either I was much less informed about DNS
> than this Time Warner rep or vice versa.
>
> In addition, during the course of the conversation, she also stated with
> conviction that zone transfers and AXFR¹s were 2 different things.  I was so
> dumbfounded that I that I didn¹t know what to say.  Again, I gave her the
> benefit of the doubt; I considered that maybe I had been somehow misinformed
> all these years or that the DNS paradigm had changed ‹ after all this was a
> ³level 2² person in the DNS group at Time Warner ‹ so I let it go.   I just
> thanked her for her time, asked her to keep the ticket open and told her I
> would get back to them.
>
> I should¹ve just escalated, but I started this call believing that I was
> making a simple request; I wasn¹t prepared for a battle.  So I quickly
> decided that my best tactic was to retreat, regroup, and attack with more
> troops from a different direction.  Hence this email.  Besides, I wasn¹t
> sure that I wanted someone who didn¹t quite grasp these concepts making
> changes to our zone files.
>
> I realize that restricting zone transfers is a minor security enhancement,
> but every little bit helps.  Besides, my boss told me to get it done.  ;)
>
>   
Tell your boss that your ISP is too incompetent to comply with his/her 
request.

I fought the battle against our security department over restricting 
zone transfers, and mostly lost the fight (I retain discretion to open 
up zone transfers selectively for "technical reasons" broadly defined), 
but at least you have an ISP to blame for not complying with this bogus 
"security measure".

- Kevin

More information about the bind-users mailing list