The original post doesn't specify what type of information is being transferred from their primary to the secondary. But if they do not want some of this information to be available to the world it would make sense for them to hide it using a stealth primary or secondary server.
I don't claim to be a DNS wizard but if you use the PTR record in the in-addr.arpa domain, you can "map in reverse from IP numbers to hostnames. Many Internet protocols and applications rely on this pointer, by convention, so it is not likely to be absent on purpose. Unless the address isn't being used, of course, but we don't want any of those anyway. By checking to see which IPs in the allocated address space have a pointer in the in-addr.arpa domain, we can narrow down the search space." This method for the most part will gather the same intel I can get from a AXFR. And then there is always NMAP and other such tools.
Limiting zone transfers is IMO is not very effective security by obscurity. There are better way of limiting the proliferation of DNS information.
-- Bill Stackpole, CISSP
| "Paul D. Robertson" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 07/11/00 05:18 PM
|
To: Scott Reber <[EMAIL PROTECTED]> cc: [EMAIL PROTECTED] Subject: Re: dns zone transfers |
On Tue, 11 Jul 2000, Scott Reber wrote:
> I have recently been informed that a MAJOR US ISP allows zone transfers for
> zones that it hosts as secondary. Upon request to change this default for
Which ISP? If enough people complain maybe they'll change their policy.
> a particular zone this ISP said they could not.
Sure they can, in fact if they're running BIND they can have per-zone
policies on transfers. They won't, and that's a different matter.
>
> This seems to be a security risk and a disregard for the security concerns
> of their clients. Am I incorrect? How do members of this list deal with
> such an issue?
It's only a security risk if the data in the zone isn't meant to be
public. If it's in the public DNS, then you're better off working on host
security, just as if it's Internet accessible. Relying on zone data which
doesn't change often to be confidential is somewhat silly. Either host it
yourself if you need business parnters to access the data, or work out a
private DNS system with such partners. It's bad that you can't have them
turn off transfers, and it helps an attacker if you've been careless with
hosts or hostnames (naming schemes that follow passwords, mission-critical
funcitons, etc.), but fact is that if anyone can find the network they can
scan and/or attack it.
If you don't like the ISP's policies, then host the DNS elsewhere- it
need have no relation to the provider, the only place where that'd be
difficult was if it were a reverse zone, and in that case if they won't
drop in wherever you want, then it's probably time to switch ISPs (most
ISPs will do the CNAME trick to delegate sub /24 blocks for reverses, any
that won't are being unreasonable.)
If it were me, I'd want it changed just because having stuff exposed
prompts people to try things that they might not if you're locked down.
But I wouldn't lose any sleep over it if everything else is done well with
the hosts named in the zone.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
