Unapproved AXFR?

Bill Manning bmanning at ISI.EDU
Mon Dec 13 17:57:29 UTC 1999 

% Re: blocking zone transfers...

% The first one is ... someone is trying to identify all my computers. 
% 
% The second reason to do a zone transfer from someone unknown, is to
% try to solve a problem. 
% 
% To the news group/mailing list:
% 
% If there is anyone out there who can give me a good and sound
% technical reason for blocking zone transfers in the general case,
% please let me know. I struggle with the feeling that I want to limit
% them for some fuzzy security related issue that I can't pin-point, but
% so far my feelings have been unable to convince my logical CPU that
% there is a strong technical reason to do so, so I keep them open - for
% now.

 A couple of good, sound technical reasons for blocking:
	- Our organization has hijacked name or number space and wish
	  to keep it hidden from view
	- Our organization is highly vulnerable and can't be bothered
	  or just plain can't fix the problems so we block visablity
	  into our space.

 Wearing my blackhat, I make the presumption that if blocking exists that
 my second premise is accurate and treat that as a highprofile target.
 To borrow from a previous example, if there are two facilites, one with
 highly visable security and one w/o apparent controls, the script kiddies
 will poke the "open" system and find little in the way of useful exploits
 and will then focus on the "protected" systems, on the theory that the 
 admin staff would not go to such lengths unless there was something worth
 protecting.

 Wearing my whitehat, I'll point out that for a number of sites, regular
 audits help identify and weedout vulnerable software or misconfiguration.
 This only helps increase the robustness and stability of the entire system.

 I guess that in general, sites that have good endsystem protection systems
 in place, blocking is at best moot and at worst an invitation to attack.
 For sites that can't or don't control endsystem protection, blocking provides
 a modicum of assurance. (Four big educational sites come to mind).

--bill

More information about the bind-users mailing list