Our ISP says they can't restrict zone transfers

Mon Apr 21 23:06:32 UTC 2008

80ei01 is a VMAN switch. Can we move those two services 80ei01 to 80xt01? 

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On Behalf Of William Bell
Sent: Monday, April 21, 2008 3:33 PM
To: Chris Buxton
Cc: bind-users at isc.org
Subject: Re: Our ISP says they can't restrict zone transfers

Hey Chris,

Follow-up:
I finally got our zone transfer issue resolved late last week.  As it turns out, Time Warner Telecom (TWTC) can't enable zone transfers for a specific IP range, they have to either "turn it on or turn it off."  So I had them turn it off entirely (except for the TWTC nameservers, of course).  Now my security guys and my boss are happy.  :/

Unfortunately, the engineer who made the modifications accidentally disabled DNS for our primary domain too, which created an intermittent outage of our main website and other services (VPN, etc).  Naturally, as the DNS caches timed out, the outage became more widespread.  Nice work.

Once we discovered the impending doom, I called TWTC (I have their direct number now) and worked with them to get it resolved.  It just so happens that the person who broke our DNS was the same person I had spoken to before (see my earlier email quote below).  However, to her credit, she admitted to the mistake, fixed it instantly, and apologized profusely.  Apparently, TWTC uses a proprietary tool to manage DNS and she's new, so she's still getting used to the tool. Because the outage was intermittent and we worked quickly to resolve it, the damage wasn't too bad.

On the plus side, because of the outage, I think I may have established a better relationship with the engineers at the new TWTC NOC.
Hopefully.

Thanks again for the advice.
-Bill

On 4/10/08 7:56 PM, "William Bell" <bellwm at gmail.com> wrote:

> Hi Chris,
> Thanks for the feedback.  It's very helpful.
> 
> Yeah, I tried to find out if there was some sort of restriction that 
> may have prevented her from doing the allow-transfer statement, but 
> she started asking me questions that made little sense to me and 
> didn't seem pertinent, so I just bailed.
> 
> We've had TWTC as our DNS host for about 6 years, and, for the most 
> part, they've been good, but I used to send them the zone file changes 
> verbatim (in plain text) so they couldn't screw it up.  They may have 
> made 2-3 mistakes total in 6 years, but they were minor (forgot the 
> trailing dot, etc).  That's why all the crap she was throwing at me 
> caught me by surprise.  It was strange.
> 
> You're probably right, they may not be able to "hand edit" the zone 
> files and their management tool may not allow them to restrict AXFR's per domain.
> 
> Anyway, thanks for restoring my confidence in my memory.  I don't have 
> Alzheimer's yet!  Or do I?  I can't remember.  ;)
> 
> If you want, I'll post a follow-up after I call them again tomorrow.
> Take care!
> Bill
> 
> 
> On 4/10/08 7:30 PM, "Chris Buxton" <cbuxton at menandmice.com> wrote:
> 
>> An AXFR is a type of zone transfer. The other type is called IXFR, or 
>> incremental zone transfer.
>> 
>> Either way, what the TW script monkey told you was completely false, 
>> as you were already thinking. Restricting zone transfers would not 
>> stop anyone from retrieving specific records from your zone - that 
>> statement is called "allow-query", not "allow-transfer".
>> 
>> It may be that the following are true, thus making it inconvenient 
>> for TW to restrict zone transfers:
>> 
>> - They are not using TSIG.
>> - The list of source addresses of legitimate zone transfers is not 
>> well known.
>> 
>> Or it may simply be that their DNS management tool does not expose 
>> this functionality.
>> 
>> I have heard several negative anecdotes about TW's DNS staff. Good 
>> luck with this.
>> 
>> Chris Buxton
>> Professional Services
>> Men & Mice
>> 
>> On Apr 10, 2008, at 4:08 PM, William Bell wrote:
>>> Hi,
>>> First, it¹s been a few years since I maintained BIND servers, so 
>>> please forgive my rustiness.  :) I couldn¹t¹ find an answer to this 
>>> particular question in the archives, soŠ What valid reason would any 
>>> ISP or DNS hosting company have for NOT restricting zone transfers 
>>> to valid nameservers, IP¹s, hosts, etc?
>>> 
>>> Also, a ³zone transfer² and an AXFR request are the same thing 
>>> aren¹t they?
>>> 
>>> Why I¹m asking this question:
>>> We recently determined that our ISP/DNS host  (Time Warner Telecom) 
>>> allows zone transfers for our domains from anywhere on the internet 
>>> (as far as we can tell).  So I called and asked them to restrict 
>>> zone transfers for our domains to their own DNS servers and to our 
>>> internet IP blocks.
>>> Sounds like
>>> a simple ³allow-transfer² directive in our zone file, right?  Not 
>>> according to the TW rep I spoke to.  They told me that, since they 
>>> were the authoritative DNS servers for our domains, if they 
>>> restricted zone transfers as I requested, then no one would be able 
>>> to access our DNS and thus no one would be able to access our 
>>> servers from the internet.  Okay, it¹s been 4 or
>>> 5 years since I¹ve done any DNS work, but this response struck me as 
>>> a bit strange.  I began to suspect that either I was much less 
>>> informed about DNS than this Time Warner rep or vice versa.
>>> 
>>> In addition, during the course of the conversation, she also stated 
>>> with conviction that zone transfers and AXFR¹s were 2 different 
>>> things.
>>> I was so
>>> dumbfounded that I that I didn¹t know what to say.  Again, I gave 
>>> her the benefit of the doubt; I considered that maybe I had been 
>>> somehow misinformed all these years or that the DNS paradigm had 
>>> changed ‹ after all this was a ³level 2² person in the DNS group at 
>>> Time Warner ‹ so I let it go.
>>> I just
>>> thanked her for her time, asked her to keep the ticket open and told 
>>> her I would get back to them.
>>> 
>>> I should¹ve just escalated, but I started this call believing that I 
>>> was making a simple request; I wasn¹t prepared for a battle.  So I 
>>> quickly decided that my best tactic was to retreat, regroup, and 
>>> attack with more troops from a different direction.  Hence this 
>>> email.  Besides, I wasn¹t sure that I wanted someone who didn¹t 
>>> quite grasp these concepts making changes to our zone files.
>>> 
>>> I realize that restricting zone transfers is a minor security 
>>> enhancement, but every little bit helps.  Besides, my boss told me 
>>> to get it done.  ;)
>>> 
>>> Any advice would be greatly appreciated.
>>> Thanks
>>> 
>>> --
>>> Regards,
>>> Bill
>>> 
>>> "No trees were killed in the making of this e-mail... however, a 
>>> large number of electrons were terribly inconvenienced."
>>> 
>>> 
>>> 
>> 