Unapproved AXFR?

[sthaug at nethelp.no]

> > I used to be of that opinion also. Then somebody transferred most of the
> > zones from a server which is slave for several thousand zones - and soon
> > afterwards we saw attacks which were obviously based on information from
> > those zone files. We stopped public zone transfers after that incident.
> 
> I understand, but that is not a technical reason. The information is
> available anyhow. You just dig out the IP address of their mail and
> web servers, and do a spread spectrum attack to that vicinity. You
> don't even have to bother with the domain names.

I agree that the information is available. It's a question of magnitude.

By having a server with several thousand zones freely available for all
to transfer, I've just made the cracker's work some orders of magnitude
easier. If the zones are *not* available, they have use individual DNS
lookups, or find other name servers that allow zone transfers.

> They _are_ going to attack your systems - sometime. Don't sit around
> hoping that blocking zone transfers is going to keep them out.

I definitely agree - but blocking zone transfers is going to make it
harder for at least *some* crackers. That's sufficient reason for me. 

Steinar Haug, Nethelp consulting, sthaug at nethelp.no