[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Zone Transfers & Security Question



As i understand this, it has very little security concerns, IF you trust
your isp.

1. only allow transfers of your zones that you want that isp to take.
2. only allow transfers to be made from their nameservers.

This should minimise any potential threat.  There are no known exploits
against the zone transfer functionality in bind 8(to my knowledge
anyways), however, it is not always a good idea to give transfers to
just anyone, because an attacker can use a zone map to plan an attack on
your systems.  in the named.conf, just add a  
  
allow-transfer{1.1.1.1;}; for the isp's host ip.  this should be inside
the zone{}; that you want to be able to transfer. 

Ryan
kg wrote:
> 
> Hello:
> 
> I've got the openbsd bind 8.* snapshot running chroot'd on a couple 2.5
> boxes dedicated to DNS only.  Rather than delegating the subnet, my ISP
> wants me to allow them to pull zone transfers over to their DNS.  Presently
> I am allowing zone transfers only to my slave server.  Allowing transfers
> to their DNS server as some advantage in that I don't have a redundant link
> at this particlular site.  My question is what kind of security issues
> would this open me up to?  (Thanks for your patience with my ignorance.)
> 
> Ciao--kg
> http://www.y2know.org/safari
> 
> Failure is not an option. It comes bundled with your Microsoft product.

-- 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.1

mQGiBDe0JhMRBADBY/XpjCebLNEfvG1WzPYDqr7C7HEvDmJ1YWS3J0OpLeCtl4ar
jlTHELJqbAuj+1uGcPZi/u1lD9tU9iD6gwguEKANYubRuWwZTlewSpx+61F6/r/A
bcnc8og/RpLDeNoSNePXGJWEunShG0bMZWEMVqWXiNKyZyJ3DLoedoLA4QCg/6ez
K8k+rNFLguSbWS9dXHuukhcD/ij9Yqw0Sm5WPnZPQMSAk4RuHmHFqd6FJzbr7yCu
GTcUxMkldvFHXabcMi4zPg9LiPCpXtLm7qoVaYmDhNP+ZDyG4kglS/g3Rhpe0xI3
bvzUpcc8emwOwpEqHBGZFx+t7DmzzZ5uuu7sSo5CIY/d8rdsWCvb7mlp5Tmjy7Cg
+xEeA/4p7c4t2FYA6P+UUQHMFSbm1AtThVJMsb6n7STnC4Wmswu3mZb/WPe4Ho17
t0u9nJaVAcTiRvGxF+pG9Po3JkH8pz4GvF3nR97Y1almjqGsIXIBMYfEXhJSxL/A
WENDUgZsQGzMSd8+GlpDCFmOKT4qKGUAxzC/wi+ky4G79JZU87QmUnlhbiBSLiBQ
ZXJtZWggPHJycGVybWVoQHJjb25uZWN0LmNvbT6JAE4EEBECAA4FAje0JhMECwMB
AgIZAQAKCRC9h4NKO9oAL5d5AJ9nFA0dsN7B9m2bBU3X1JPJ9+PhTACfWe/tx+mF
vO7JEdYcGt1GcsAX7rq5Ag0EN7QmGRAIAPZCV7cIfwgXcqK61qlC8wXo+VMROU+2
8W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZS
Tz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscBqtNbno2gpXI6
1Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFstjvb