ls -d

Ben Croswell ben.croswell at gmail.com
Mon Aug 11 16:52:34 UTC 2008 

Solving it this way will still allow everyone within your networks to do
zone transfers, could be or could not be an issue depending how paranoid you
are, and also it will allow external users to zone transfer any zones you
put the allow-query any on.
I am not saying limiting queries like that is in anyway bad, but it won't
prevent zone transfers which is what an ls -d is.

Better to limit queries and xfers honestly.

-- 
-Ben Croswell

On Mon, Aug 11, 2008 at 12:00 PM, Ejaz <mejaz at cyberia.net.sa> wrote:

> Thanks to all,
>  it fixed now.
>
> Second option as I  should not allow others to query from dns server, as of
> now I am planing to go  with the below option, Just i need to make sure that
> is there any alternet way to achive the below ?? since its very painfull for
> me to add a line says "allow-query{any} in each zone file.
>
>
> 1. An acl line of "allow-query { our-nets; };" would globally  allows
>  queries from our designated IP's but deny queries from everyone else,
>  correct?
>
> 2.  "allow-query { any; };" in a  zone it would allow this zone to be
> queried from anyone in the world.
>
> Many thaks in advance
>
> Regards
> Ejaz
>
>
>
>
>
>
> ----- Original Message -----
> From: "James Pratt" <jpratt at norwich.edu>
> To: <bind-users at isc.org>
> Cc: "Ejaz" <mejaz at cyberia.net.sa>
> Sent: Monday, August 11, 2008 5:31 PM
> Subject: RE: ls -d
>
>
> > -----Original Message-----
> > From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of
> > jmc
> > Sent: Monday, August 11, 2008 10:16 AM
> > To: bind-users at isc.org
> > Subject: Re: ls -d
> >
> > --- Ejaz [Mon, Aug 11, 2008 at 04:43:25PM +0300]: ---
> > > Dear all,
> > > I have two dns server with same version of bind and with similar
> configuration,
> > >
> > > When ever i go with my ns2 (ns2.cyberia.net.sa)  server into
> nslookup mode, any
> > can  can run the command: ls -d "domain name" as an arugement and
> gettting full
> > dump information about that domain.
> > >
> > > Please can any one guide me that How do I set up my Bind to not show
> my
> > domain if someone does this(ls -d "domainname")  to me.
> >
> > as far as i know, ls -d just does an AXFR, so just disable AXFRs for
> the
> > IP making the request. i could be missing something, however.
>
> Yes, you need to shut off zone transfers to unauthorized IP's and/or
> ranges, as well as disable recursion to internet clients, eg:
>
> [meb at 192.149.109.19 ~]# dig @ns2.cyberia.net.sa PHP.NET
>
> ; <<>> DiG 9.3.4-P1 <<>> @ns2.cyberia.net.sa PHP.NET
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37704
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;PHP.NET.                       IN      A
>
> ;; ANSWER SECTION:
> PHP.NET.                86395   IN      A       69.147.83.197
>
> ;; AUTHORITY SECTION:
> PHP.NET.                66384   IN      NS      remote1.easydns.com.
> PHP.NET.                66384   IN      NS      remote2.easydns.com.
> PHP.NET.                66384   IN      NS      ns1.easydns.com.
> PHP.NET.                66384   IN      NS      ns2.easydns.com.
>
> ;; Query time: 192 msec
> ;; SERVER: 212.119.64.3#53(212.119.64.3)<http://212.119.64.3#53%28212.119.64.3%29>
> ;; WHEN: Mon Aug 11 10:26:16 2008
> ;; MSG SIZE  rcvd: 132
>
>
>

More information about the bind-users mailing list