news@mothra.nts.uci.edu (News Person) (05/24/91)
Can the response to the ls -<option> domain response be disabled, but still allow a zone transfer? I've looked at the code (University of Toronto's bind) briefly, and found a variable named xfr_disable, that when set disables ls domain. The question is, since it is labled for zone transfers, does this also disable zone transfers to servers that I delegate authority to? Mark Eggers - Walt Disney Imagineering meggers@walt.disney.com /mde/
tytso@ATHENA.MIT.EDU (Theodore Ts'o) (05/24/91)
Date: 23 May 91 17:03:37 GMT From: meggers@walt.disney.com Can the response to the ls -<option> domain response be disabled, but still allow a zone transfer? I've looked at the code (University of Toronto's bind) briefly, and found a variable named xfr_disable, that when set disables ls domain. The question is, since it is labled for zone transfers, does this also disable zone transfers to servers that I delegate authority to? Yes, it will disable zone transfers to servers as well as disallowing the "ls -<option>" command in nslookup. This is because the name server can't tell the difference between the two casses. In the latter case, your secondary servers are sending the AFXR request to your named. In the first case, the nslookup program is sending the AFXR request. Your name daemon will respond identically in both cases, since it can't determine which client issued the AFXR request. I suppose if you really want to be paranoid about such things, you could hack your name daemon to check the IP address before making a decision about whether or not to honor an zone transfer request. None of the existing Unix implementations of the DNS, to my knowledge, support this, although it wouldn't be hard to add. Note, however, that unless your secondary servers are also set to be fascist, someone would still be able to find out what hosts you have by sending the zone transfer request to your seconary servers. Why do you want to be so fascist about zone transfers, anyway? If you're relying on people not knowing the names of your host as a security mechanism, be advised this is a bad idea. Attackers who know how to use "ls -<option>" to nslookup can probably also try to see which addresses in 39.104.1.* respond, and then figure out the names. Alternatively, they could use just the internet address in lieu of the name. - Ted
emv@msen.com (Ed Vielmetti) (05/31/91)
In article <9105291302.AA04129@sayshell.umd.edu> louie@SAYSHELL.UMD.EDU ("Louis A. Mamakos") writes:
We had to disable zone transfers on TERP.UMD.EDU, which is one of the root
name servers. It was getting beat to death by some creatins which performed
zone transfers quite frequently.
Is the raw data that's in the root servers available by some other
means, like anonymous FTP for instance? I've found it quite handy to
get a dump of (e.g.) the .com root servers, but if there's a less
cretinous way of doing it I'd be happy to do so.
--
Edward Vielmetti, vice president for research, MSEN Inc. emv@msen.com
"often those with the power to appoint will be on one side of a
controversial issue and find it convenient to use their opponent's
momentary stridency as a pretext to squelch them"