trusted nslookup

[Tony Inskeep]

On Sat, 5 Feb 2000, Webmaster wrote:

> Is there a way to allow only a trusted source nslookup access
> (and thereby barring all others) without interfering with
> basic services? If yes, how?

I'm not sure if its an option for you, but I seem to remember isc
recommending that anyone w/ < 8.2.2 upgrade if at all possible. There are
apparently some security issues.

I think that you might be looking for the allow-transfer directive, which
could be used globally under the options section at the top of your conf,
or you can specify the directive on a per zone basis. Someone more
knowledgeable will probably need to correct me if I'm wrong, but I believe
that allow-transfer lines in a zone can override the global allow-transfer
statement. This effectively allows only those networks or hosts to do zone
transfers for which you are listed as an authority.

If, however, you also want to prevent others from using you as a name
server for other internet addresses, you will want to use the allow-query
directive under your root cache zone.

Oh, you can use acl's for both of these directives by defining them above
the options section.

> Are there any 'holes' in an improperly configured DNS which 
> would allow outsiders to remotely generate a complete list
> of hosted domains? If yes, how to close the hole?

I think I read on Ask Mr DNS that you cannot get a list of all hosted
domains on a particular box. Again, I defer to anyone who knows better...
at least that's the answer Mr DNS gave to the inquiring mind =)

FYI a good presentation by Cricket Liu on securing your dns box:

http://www.acmebw.com/securing/

Mr Liu goes over the information I've attempted to summarize above in
more detail in the presentation above. You can also download a pdf
version of the presentation. Hope that helps.

Tony Inskeep
Pfeiffer University
704.463.1360 x2172
------------------
Serious error.
All shortcuts have disappeared.
Screen. Mind. Both are blank.