Re: debian.org DNSs allow unrestricted zone transfers

To: debian-security@lists.debian.org
Subject: Re: debian.org DNSs allow unrestricted zone transfers
From: "Giacomo A. Catenazzi" <cate@debian.org>
Date: Tue, 15 May 2007 16:46:43 +0200
Message-id: <4649C7D3.7050803@debian.org>
In-reply-to: <20070515120830.GA28216@piper.oerlikon.madduck.net>
References: <915136920705150456u29311c79ra4aa91237f067f9d@mail.gmail.com> <20070515120830.GA28216@piper.oerlikon.madduck.net>

martin f krafft wrote:

also sprach Abel Martín <abel.martin.ruiz@gmail.com> [2007.05.15.1356 +0200]:

I thought zone transfers should only be possible between DNSs
which have records for the same domain, so why are debian.org DNSs
(raff, rietz, klecker) allowing zone transfers? Maybe I'm
paranoid, but I think there are security issues related to this,
including the possibility of suffering DoS attacks (it serves 254
records). Is there an explanation for this?


Where is the attack vector? I can DoS those servers in other ways
too.


the theory: zone transfer of a DNS gives internal information about
structure and IPs of internal machines.

I think a simple scan could give the same information, and
anyway the name of debian machines is listed also on the
web.

ciao
	cate

Reply to:

Follow-Ups:
- Re: debian.org DNSs allow unrestricted zone transfers
  - From: martin f krafft <madduck@debian.org>

References:
- debian.org DNSs allow unrestricted zone transfers
  - From: "Abel Martín" <abel.martin.ruiz@gmail.com>
- Re: debian.org DNSs allow unrestricted zone transfers
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: debian.org DNSs allow unrestricted zone transfers
Next by Date: Re: debian.org DNSs allow unrestricted zone transfers
Previous by thread: Re: debian.org DNSs allow unrestricted zone transfers
Next by thread: Re: debian.org DNSs allow unrestricted zone transfers
Index(es):
- Date
- Thread