How to disable record listing ?
Kevin Darcy
kcd at daimlerchrysler.com
Mon Jul 31 20:55:14 UTC 2000
You shouldn't have *private* data in the *public* DNS. Period. End of
sentence.
Blocking zone transfers is a band-aid to the problem. What you really need is
split DNS.
- Kevin
Tal Dayan wrote:
> Thanks for the info.
>
> The motivation for the blocking is to avoid our competitors getting our
> customer list (each has a sub domain).
> We asked our ISP to block the list as well.
>
> Tal
>
> > -----Original Message-----
> > From: jim at gromit.rfc1035.com [mailto:jim at gromit.rfc1035.com]On Behalf Of
> > Jim Reid
> > Sent: Friday, July 28, 2000 6:23 AM
> > To: ted_jmt at zapta.com
> > Cc: comp-protocols-dns-bind at moderators.isc.org
> > Subject: Re: How to disable record listing ?
> >
> >
> > >>>>> "ted" == ted jmt <ted_jmt at zapta.com> writes:
> >
> > ted> When we query both servers with nslookup 'ls' command we get
> > ted> the entire list of hosts in our domain (there are several
> > ted> hundreds of them). Is there a way to instruct Bind not to
> > ted> release the list and still have the ISP server backing up our
> > ted> server ?
> >
> > The allow-transfer clause in named.conf can be used to control who can
> > do zone transfers. This is what the ls command of nslookup does. [BTW,
> > nslookup is a pathetic tool: use dig for DNS troubleshooting.] However
> > restricting zone transfers doesn't achieve much. For instance if you
> > only let your ISP's name server do zone transfers of your zone(s),
> > there's not much point unless they configure their server to do
> > likewise. There's usually not a resource problem with zone transfers,
> > so limiting them "because of the load" is unlikely to be a factor. And
> > restricting zone transfers doesn't make anything more (or less)
> > secure.
> >
> >
> >
More information about the bind-users
mailing list