[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Zone Transfers & Security Question

Hash: SHA1

At 10:30 -0600 on 9/7/99, kg wrote:
> Hello:
> I've got the openbsd bind 8.* snapshot running chroot'd on a couple 2.5
> boxes dedicated to DNS only.  Rather than delegating the subnet, my ISP
> wants me to allow them to pull zone transfers over to their DNS.  Presently
> I am allowing zone transfers only to my slave server.  Allowing transfers
> to their DNS server as some advantage in that I don't have a redundant link
> at this particlular site.  My question is what kind of security issues
> would this open me up to?  (Thanks for your patience with my ignorance.)

The only real security issue I see regarding in-addr.arpa and zone transfers
is with facilitating info-gathering prior to an attack.  For that, blocking
zone transfers gains you little extra security -- the attacker can always
just walk the subnet and do individual queries for each IP.

For forward resolution, there's no trivial work-around for not having access
to the zone, so it can make good sense to block transfers.  This is
particularly true when you don't want to generally advertise that you have a
particular subdomain, or that you have machines on a particular subnet.

I moved to BIND 8.* on my DNS boxes because I needed to go both ways.  Some
customers were requiring that I block transfers, while others definitely
wanted the entire zone open.  BIND 4 can only allow or disallow transfers for
all zones together.  BIND 8 can allow or disallow transfers for each zone


Version: PGP Personal Privacy 6.5.1
Comment: www.europarl.eu.int/dg4/stoa/en/publi/166499/execsum.htm