Unapproved AXFR?
Greg Schaffer
schaffer at mtsu.edu
Mon Dec 13 16:03:38 UTC 1999
>
> If there is anyone out there who can give me a good and sound
> technical reason for blocking zone transfers in the general case,
> please let me know. I struggle with the feeling that I want to limit
Well, here's a thought: Suppose you have an institution that included one
TXT record per A record identifying the user's name, location, office,
and/or title. You could use this information to easily determine the IP of
the CEO's machine, and start trying to hack.
You could of course do this without a full zone transfer; on a case by case
basis you could gleen this information one IP at a time from nslookup. But
the idea, as I see it, is to make it harder for a hacker, not strictly
prevent an intrusion. An analogy: a house has deadbolts and a monitored
security system, whereas another has no security system and is left
unlocked. Sure, if someone wanted to they could break into *either* house,
but the second one is a lot easier. If the rewards are the same, which
house would be broken into?
I know this isn't the black/white answer you are looking for...
Greg
-- Binary/unsupported file stripped by Listar --
-- Type: text/x-vcard
-- File: schaffer.vcf
-- Desc: Card for Greg Schaffer
More information about the bind-users
mailing list