RE: blocking AXFR record query

To: debian-security@lists.debian.org
Subject: RE: blocking AXFR record query
From: HdV@DTO.TUDelft.NL
Date: Thu, 29 Jan 2004 12:03:21 +0100 (MET)
Message-id: <[🔎] Pine.GSO.4.58.0401291200040.8158@sanders.rc.tudelft.nl>
In-reply-to: <[🔎] NDBBKABJBJCIJNAELLKEAEHOJDAA.jimm@simutronics.com>
References: <[🔎] NDBBKABJBJCIJNAELLKEAEHOJDAA.jimm@simutronics.com>

On Wed, 28 Jan 2004, James Miller wrote:

> If memory serves.. AXFR is a zone transfer... So, at your firewall, would
> want to only allowing TCP queries from your backup (secondary,
> trinary..etc.) dns servers (on the outside of your firewall) and limit
> everyone else to UDP queries.

I am no BIND expert, but please do not block TCP 53 unless you want to
drop about 20% (might be another percentage at your site) of all valid
lookups too! There is a long-standing myth that DNS traffic is UDP only
(excepting zone transfers). THIS IS NOT TRUE. I am sorry, I can't help
you with the BIND specific stuff.

Grx HdV

Reply to:

References:
- RE: blocking AXFR record query
  - From: "James Miller" <jimm@simutronics.com>

Prev by Date: Bug#230063: openwebmail security hole
Next by Date: Re:
Previous by thread: Re: blocking AXFR record query
Next by thread: Hardening named.conf
Index(es):
- Date
- Thread