High Zone Xfer?
Nate Duehr
nate at natetech.com
Tue Feb 20 03:21:12 UTC 2001
On Tue, Feb 20, 2001 at 09:27:36AM +1100, Mark.Andrews at nominum.com wrote:
> That said it gives some people a warm fuzzy feeling to block
> zone transfers in the belief that it will significantly slow
> down attempts to break into the site or reduce spam.
Mark, could you clarify here? Are you saying features like
"allow-transfer" are useless?
Personally I find that if there's no reason for any machines other than
my hosting servers to send transfers to one-another, then the transfers
should be limited to those machines.
Yes, it's a public database (more like a caching proxy, but hey...
whatever...) but there's no need to hand people all your machine names
in one easy-to-make query.
Agreed however that most attackers simply don't care or don't use DNS,
but I see no reason to give them the luxury in a properly designed
architecture.
--
Nate Duehr <nate at natetech.com>
GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.
More information about the bind-users
mailing list