[clug] Debian update - Bind config

Sam Couter sam at couter.dropbear.id.au
Sun May 18 21:18:39 EST 2003

Rasjid Wilcox <rasjidw at openminddev.net> wrote:
> The 'acl' and 'allow-transfer' lines were added into the config file during 
> the upgrade process.  I have read through the named.conf man page, and it is 
> still not obvious to me whether these changes are desirable and should be 
> left in, or should be commented out.  Given that the man page says:
>        allow-transfer
>               ...  If not specified, the default is to allow transfers
>               from all hosts.
> then it looks to me like this is a more secure arrangement, but I'm really 
> just guessing here.  On the other hand, perhaps this is saying to publish 
> information that was previously not being published, which would be bad.

It's talking about zone transfers. Normally clients will connect to your
DNS server and ask for specific information, like "Tell me what IP
address the host named 'www' has" (Eg, "host www.example.com"). Zone
transfers mean people can get access to hostnames and other DNS records
that you might consider somewhat secret, and don't publish in any other
way (Eg, "host -l example.com". Try it against a server that allows zone
transfers: "host -l pgp.net").

Normal DNS operation (with BIND) only requires zone transfers from the
primary server for the zone to the secondary servers, but no-one else
really needs them.

Of course, relying on "secret" hostnames is a form of security by
obscurity, and really isn't much like security at all. I've never
restricted zone transfers on any DNS servers that I've been in charge of
in the past.

Of course, there may be other concerns such as bandwidth use and
possible DoS attacks against a DNS server that allows zone transfers. I
don't know of any specific risks here though.
Sam "Eddie" Couter  |  mailto:sam at couter.dropbear.id.au
Debian Developer    |  mailto:eddie at debian.org
                    |  jabber:sam at teknohaus.dyndns.org
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20030518/38521cb8/attachment.bin

More information about the linux mailing list