Re: dns zone transfers


Subject: Re: dns zone transfers
arthur@corlissfamily.org
Date: Wed Nov 21 2001 - 10:39:15 AKST


On Wed, 21 Nov 2001, Chris Hamilton wrote:

> Hi all. Is there a good reason (or any reason) to allow unknown dns
> servers the ability to pull all your zone records (zone transfers)? I
> was under the impression that only authorized dns servers needed to have
> this ability.
>
> So... if you have a primary, I thought that only the secondary (and any
> others that are listed with the registrar), needed to be able to perform
> zone transfers.

That's correct. The security-conscious should use ACLs, and make sure your
internal LAN zones are not resolvable from the outside at all. That kind of
information can give the script kiddies some idea of what your network
topology is. . .

        --Arthur Corliss
          Bolverk's Lair -- http://arthur.corlissfamily.org/
          "Live Free or Die, the Only Way to Live" -- NH State Motto



This archive was generated by hypermail 2a23 : Wed Nov 21 2001 - 10:39:17 AKST