Unapproved AXFR?
Lars-Johan Liman
liman at sunet.se
Tue Dec 14 17:06:35 UTC 1999
barmar at bbnplanet.com:
> If you name machines after users, projects, etc. then zone transfers
> can divulge proprietary information. Most companies have a policy
> that the employee directory can't be distributed to outsiders; if
> the DNS database is almost equivalent, it makes sense not to
> distribute it, either.
Yeah, but that's exactly the point! The DNS is a public directory, for
cryin' out loud! :-) The information is there, maybe not for listing,
but for access. If you don't want people to access the information -
don't put it up for public retrieval. I, for sure, wouldn't put
sensitive information in my DNS server, hoping that no one would find
it, because they don't know what to look for, even if I had limited
zone transfers from my server. I consider that being "security by
obscurity", which is a principle that I don't want to base my security
on. It's actually quite close to "I'll put my plain-text telnet daemon
on port 4711, and then I'm safe.". :-)
Cheers,
/Liman
#----------------------------------------------------------------------
# Lars-Johan Liman, Systems Specialist ! E-mail: liman at sunet.se
# KTH Network Operations Centre ! HTTP : //www.sunet.se/~liman
# Royal Institute of Technology, Sweden ! Voice : Int +46 8 - 790 65 60
#----------------------------------------------------------------------
More information about the bind-users
mailing list