ZXFR

[Derek J. Balling]

A government site... that CAN'T limit zone xfers?

And we wonder why gov't sites seem to be primo-choice for hackers to target. :)

To put it in the words of the 3rd Edition... Can you please send me a copy
of the phone directory for everyone in the USDA? Thanks. :)

D


At 1:25 PM -0700 11/8/00, Security, Network wrote:
>i realize that limiting zone x-fers would also be an answer but we cannot
>implement this right away...don't ask why...it would take to long to
>explain...what i want to do is disable ZXFR's altogether
>-- qarl
>
>-----Original Message-----
>From: Shawn_Evans at oxy.com [mailto:Shawn_Evans at oxy.com]
>Sent: Wednesday, November 08, 2000 1:11 PM
>To: bind-users at isc.org
>Subject: RE: ZXFR
>
>
>
>
>In your named.conf file, in the options sections, to make the change
>globaly.. add;
>
>options {
>       allow-transfer { 1.2.3/24; };
>};
>
>where 1.2.3/24 is the IP range you want to have the ability to make zone
>transfers.
>
>See DNS & BIND, 3rd Edition pg. 252 for further details.
>
>
>---
>-   Shawn L. Evans, mailto:shawn_evans at oxy.com   -
>-  Phone: 1-918-610-1897 Mobile: 1-918-361-7601  -
>-      Text Page: 8008056238 at airmessage.net      -
>-             Pager:  1-800-805-6238             -
>
>
>-----Original Message-----
>From: Security, Network [mailto:Network.Security at OCIOFC.USDA.GOV]
>Sent: Wednesday, November 08, 2000 1:15 PM
>To: 'bind-users at isc.org'
>Subject: ZXFR
>
>
>alright with this new DoS against 8.2.2P5 with the ZXFR option enabled i am
>poking around trying to figure out how to disable it, sorry if this seems
>like a trivial question...i still get lost in source code. anyway i did NOT
>manually enable it, yet the DoS still works on my Solaris 8 machine. so if
>anyone could tell me where to go to disable this option it would be
>appreciated.
>-- qarl