limiting zone AXFR
Tony Earnshaw
tonye at ilion.nl
Sat Apr 8 12:08:39 UTC 2000
"Michael Vincent K. Pozon - CompE" wrote:
> by the way , my question is that, how do i limit any hosts to do a zone
> transfer ? i dont want unauthorize host to do axfr from my nameserver
What BIND version? We (I) limit zone AXFRS for our Internet domains to
certain mailservers maintained by our ISP. We limit zone transfers of
our internal zones to our internal servers.
We run (self compiled) BIND 8.2.2-P5 on SCO OpenServer 5.0.5.
In named.conf on the authoritative nameserver, we have the following
lines lines for each zone (including the in-addr.arpa zones that we
maintain ourselves). This is an example for one internal zone:
zone "lh.ilion.nl" {
type master;
file "lh/db.lh";
check-names fail;
allow-query { 195.81.20.0/24; 192.168.100.0/24; 192.168.18.0/24; };
allow-update { none; };
allow-transfer { 195.81.20.0/24; 192.168.100.0/24; 192.168.18.0/24; };
};
'allow-query' limits prevent Internet servers (particularly our fallback
server that our ISP runs) including internal machines in their caches.
Before anyone says that it wouldn't do this anyway, I'd remark that,
before we had the 'allow-query' parameter, I was _horrified_ to see that
external nameservers _did_ know what IP number foundat7.lh.ilion.nl and
other (RFC 1918 private network) internal machines had. This stopped
them!
Tony
--
Tony Earnshaw
Randstad 2157
1314 BH Almere, NL
e-mail: tonye at ilion.nl
More information about the bind-users
mailing list