On Mon, 2004-05-03 at 11:20, Varun Varma wrote:
[EMAIL PROTECTED]:[08:35](5) dig @ns1.webyarn.com mindsw.com axfr
<snip>
Another case in point:
You missed binand's point there.
No I didn't - Binand's point was flawed. Binand attempted sarcasm, and completely missed the structure of sarcasm.
If I had said "All *good* DNS servers disallow un-authorized domain transfers" and then Binand would have gone on to show that how our own DNS servers allow it, he might have made a point.
But all he did was point out a fact, which I had never disputed in the first case, and took a sarcastic tone while stating it.
Dont allow anyone and everyone to do zone transfers off ur DNS! :)
Why not?
I hope you realise that zone transfers are read only, and pose no threat to the security of the server what-so-ever.
All the information hosted on these servers is purely public. There is no *confidential* DNS information here. Thus, there are no privacy concerns.
In terms of it being a potential DoS target - that it isn't - not anymore than say, a "dig -t any @ns1.easydns.com vaibhavsharma.com" and that's because the server runs cpanel which creates only four additional DNS entries per domain by default (two A records - ftp, localhost and two CNAME records - mail, www) - and these are standard across all domains hosted on the server. As you can see, there are not too many additional RRs in the zone to concern us that the size of a zone transfer would be substantially larger than that of a "dig -t any" query.
Why do we do it? Because some clients want to run in-house slave DNSs and we don't want to stop them from doing so. Isn't that the problem you had with XO?
One might argue that allowing un-authorized zone transfers doesn't leave you with a warm fuzzy secure feeling. But as far as I can see, there is no logical reason to not to allow these zone transfers.
Oh yes, I am aware of the CERT Vulnerability Note VU#715973
http://www.kb.cert.org/vuls/id/715973
-- Regards, Varun Varma --------------------------------------- Mindframe Software & Services Pvt. Ltd. http://www.mindsw.com ---------------------------------------
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/linux-india-help
