How to disable record listing ?

Thu Aug 3 23:51:00 UTC 2000

Stefan, you are 100% on the mark. The information is sensitive but not too
much. We don't want
to make it too easy to extract the entire list but guessing one at a time is
not that bad.

What is the split DNS that you mention ? How do we take advantage of it ?
Also, the DNS server is behind a firewall (or we can run IPCHAINS on the DNS
server
it self), does this help ?

On a related subject, we are looking for an alternative secondary DNS
service that will block
list access. Anybody can recommend a reliable and reasonably priced service
?

Thanks,

Tal

> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of Stefan Probst
> Sent: Tuesday, August 01, 2000 1:02 AM
> To: Kevin Darcy; comp-protocols-dns-bind at moderators.isc.org
> Subject: Re: How to disable record listing ?
>
>
>
> What I understand is, that they are providing all of their customers with
> a public sub-domain. Therefore the *public* list of sub-domains becomes
> the *private* data as the customer's list. A competitor could by this get
> easily their customer list by just pulling their zone file.
>
> Of course, the competition would know this when they see somewhere
> somebody using this subdomain, but it is a much slower process to monitor
> the Net for that subdomain occurences, than to just only pull the zone
> file.
> Since they are not operating any firewall, split zones etc., "Split DNS"
> wouldn't be an option, as far as I understand.
>
> And in this case they are right as far as I understand:
> Restrict zone transfers at the master AND at all slaves, i.e. at the ISP
> in this case.
>
> Hope I am not too far off ;-)
> Stefan
>
> At 16:55 31.07.00 -0400, Kevin Darcy wrote:
> -------------------------
> >
> > You shouldn't have *private* data in the *public* DNS. Period. End of
> > sentence.
> >
> > Blocking zone transfers is a band-aid to the problem. What you really
> need is
> > split DNS.
> >
> >
> >
> > - Kevin
> >
> > Tal Dayan wrote:
> >
> > > Thanks for the info.
> > >
> > > The motivation for the blocking is to avoid our competitors getting
> our
> > > customer list (each has a sub domain).
> > > We asked our ISP to block the list as well.
> > >
> > > Tal
> > >
> > > > -----Original Message-----
> > > > From: jim at gromit.rfc1035.com [mailto:jim at gromit.rfc1035.com]On
> Behalf Of
> > > > Jim Reid
> > > > Sent: Friday, July 28, 2000 6:23 AM
> > > > To: ted_jmt at zapta.com
> > > > Cc: comp-protocols-dns-bind at moderators.isc.org
> > > > Subject: Re: How to disable record listing ?
> > > >
> > > >
> > > > >>>>> "ted" == ted jmt <ted_jmt at zapta.com> writes:
> > > >
> > > >     ted> When we query both servers with nslookup 'ls' command we
> get
> > > >     ted> the entire list of hosts in our domain (there are several
> > > >     ted> hundreds of them). Is there a way to instruct Bind not to
> > > >     ted> release the list and still have the ISP server backing up
> our
> > > >     ted> server ?
> > > >
> > > > The allow-transfer clause in named.conf can be used to control who
> can
> > > > do zone transfers. This is what the ls command of nslookup does.
> [BTW,
> > > > nslookup is a pathetic tool: use dig for DNS troubleshooting.]
> However
> > > > restricting zone transfers doesn't achieve much. For instance if you
> > > > only let your ISP's name server do zone transfers of your zone(s),
> > > > there's not much point unless they configure their server to do
> > > > likewise. There's usually not a resource problem with zone
> transfers,
> > > > so limiting them "because of the load" is unlikely to be a factor.
> And
> > > > restricting zone transfers doesn't make anything more (or less)
> > > > secure.
> > > >
> > > >
> > > >
> >
>
>
>