ZXFR

Wed Nov 8 22:05:49 UTC 2000

You CAN'T "limit" zone transfers (by editing the named.conf file)

But you CAN "disable" zone transfers (by editing the named.conf file or by
modifying the code to remove support for ZXFR).

Would not DISABLE seem to be more inclusive than LIMIT???

Dave

-----Original Message-----
From: Security, Network [mailto:Network.Security at OCIOFC.USDA.GOV]
Sent: Wednesday, November 08, 2000 3:25 PM
To: 'Shawn_Evans at oxy.com'
Cc: 'bind-users at isc.org'
Subject: RE: ZXFR

i realize that limiting zone x-fers would also be an answer but we cannot
implement this right away...don't ask why...it would take to long to
explain...what i want to do is disable ZXFR's altogether
-- qarl

-----Original Message-----
From: Shawn_Evans at oxy.com [mailto:Shawn_Evans at oxy.com]
Sent: Wednesday, November 08, 2000 1:11 PM
To: bind-users at isc.org
Subject: RE: ZXFR

In your named.conf file, in the options sections, to make the change
globaly.. add;

options {
       allow-transfer { 1.2.3/24; };
};

where 1.2.3/24 is the IP range you want to have the ability to make zone
transfers.

See DNS & BIND, 3rd Edition pg. 252 for further details.

---
-   Shawn L. Evans, mailto:shawn_evans at oxy.com   -
-  Phone: 1-918-610-1897 Mobile: 1-918-361-7601  -
-      Text Page: 8008056238 at airmessage.net      -
-             Pager:  1-800-805-6238             -

-----Original Message-----
From: Security, Network [mailto:Network.Security at OCIOFC.USDA.GOV]
Sent: Wednesday, November 08, 2000 1:15 PM
To: 'bind-users at isc.org'
Subject: ZXFR

alright with this new DoS against 8.2.2P5 with the ZXFR option enabled i am
poking around trying to figure out how to disable it, sorry if this seems
like a trivial question...i still get lost in source code. anyway i did NOT
manually enable it, yet the DoS still works on my Solaris 8 machine. so if
anyone could tell me where to go to disable this option it would be
appreciated.
-- qarl