Unapproved AXFR?
Bill Manning
bmanning at ISI.EDU
Mon Dec 13 17:57:29 UTC 1999
% Re: blocking zone transfers...
% The first one is ... someone is trying to identify all my computers.
%
% The second reason to do a zone transfer from someone unknown, is to
% try to solve a problem.
%
% To the news group/mailing list:
%
% If there is anyone out there who can give me a good and sound
% technical reason for blocking zone transfers in the general case,
% please let me know. I struggle with the feeling that I want to limit
% them for some fuzzy security related issue that I can't pin-point, but
% so far my feelings have been unable to convince my logical CPU that
% there is a strong technical reason to do so, so I keep them open - for
% now.
A couple of good, sound technical reasons for blocking:
- Our organization has hijacked name or number space and wish
to keep it hidden from view
- Our organization is highly vulnerable and can't be bothered
or just plain can't fix the problems so we block visablity
into our space.
Wearing my blackhat, I make the presumption that if blocking exists that
my second premise is accurate and treat that as a highprofile target.
To borrow from a previous example, if there are two facilites, one with
highly visable security and one w/o apparent controls, the script kiddies
will poke the "open" system and find little in the way of useful exploits
and will then focus on the "protected" systems, on the theory that the
admin staff would not go to such lengths unless there was something worth
protecting.
Wearing my whitehat, I'll point out that for a number of sites, regular
audits help identify and weedout vulnerable software or misconfiguration.
This only helps increase the robustness and stability of the entire system.
I guess that in general, sites that have good endsystem protection systems
in place, blocking is at best moot and at worst an invitation to attack.
For sites that can't or don't control endsystem protection, blocking provides
a modicum of assurance. (Four big educational sites come to mind).
--bill
More information about the bind-users
mailing list