Re: debian.org DNSs allow unrestricted zone transfers
martin f krafft wrote:
also sprach Giacomo A. Catenazzi <firstname.lastname@example.org> [2007.05.15.1646 +0200]:
my theory: that information should be public, or at least if it
the theory: zone transfer of a DNS gives internal information about
structure and IPs of internal machines.
were, the network should not be unsafer because of it.
I think a simple scan could give the same information, and anyway
the name of debian machines is listed also on the web.
i see no attack vector.
I agree with you. The "the theory" should be readed: "security book
write this, but ..."
Without zone transfer, you simplify the detection of net-scans,
but an attacker could use a lot of machines, a lot of time
(few packet per day), and eventually use automatic reponse
as vector for an DoS.
So I agree with you.
PS: on my machines, I see that only switch.ch try to transfer zones
from my domains (I think for statistics, but nothing on the net).