[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian.org DNSs allow unrestricted zone transfers

martin f krafft wrote:
also sprach Giacomo A. Catenazzi <cate@debian.org> [2007.05.15.1646 +0200]:
the theory: zone transfer of a DNS gives internal information about
structure and IPs of internal machines.
my theory: that information should be public, or at least if it
were, the network should not be unsafer because of it.

I think a simple scan could give the same information, and anyway
the name of debian machines is listed also on the web.

i see no attack vector.

I agree with you.  The "the theory" should be readed: "security book
write this, but ..."

Without zone transfer, you simplify the detection of net-scans,
but an attacker could use a lot of machines, a lot of time
(few packet per day), and eventually use automatic reponse
as vector for an DoS.

So I agree with you.


PS: on my machines, I see that only switch.ch try to transfer zones
from my domains (I think for statistics, but nothing on the net).

Reply to: