Re: blocking AXFR record query

To: Debian-Security <debian-security@lists.debian.org>
Subject: Re: blocking AXFR record query
From: Tobias Reckhard <jester71@gmx.net>
Date: Thu, 29 Jan 2004 06:26:14 +0100
Message-id: <[🔎] 40189976.8000800@gmx.net>
In-reply-to: <[🔎] 20040128200219.GA3114@moskovskaya>
References: <[🔎] 200401281943.57333.leva@az.isten.hu> <[🔎] NDBBKABJBJCIJNAELLKEAEHOJDAA.jimm@simutronics.com> <[🔎] 20040128200219.GA3114@moskovskaya>

David Barroso wrote:

* James Miller (jimm@simutronics.com) wrote:

If memory serves.. AXFR is a zone transfer... So, at your firewall, would
want to only allowing TCP queries from your backup (secondary,
trinary..etc.) dns servers (on the outside of your firewall) and limit
everyone else to UDP queries.  And for your bind9 config something like
this:


It is not a good idea to block TCP packets to your DNS server, since TCP
is not only used for zone transfer, it is also used when answering a DNS
query with a response that does not fit in a normal UDP datagram.

In fact the limit is even much lower, namely 512 bytes (a UDP datagramhas a 16-bit length field). But whether responses of your server willhave to be truncated is entirely under your control and many sites don'thave RRs that will cause more than a 512 byte response to be used.


Cheers,
Tobias

Reply to:

References:
- blocking AXFR record query
  - From: LeVA <leva@az.isten.hu>
- RE: blocking AXFR record query
  - From: "James Miller" <jimm@simutronics.com>
- Re: blocking AXFR record query
  - From: David Barroso <tomac@somoslopeor.com>

Prev by Date: Re: Hardening named.conf
Next by Date: Re: Hardening named.conf
Previous by thread: Re: blocking AXFR record query
Next by thread: RE: blocking AXFR record query
Index(es):
- Date
- Thread