nsupdate behavior
Waltner, Steve
swaltner at lsil.com
Tue Dec 18 23:23:24 UTC 2001
Because it is UDP traffic, which is INCREDIBLY easy to forge. If BIND
allowed the local IP address or 127.0.0.1 DNS update access by default,
ANYONE in the world could hijack any BIND based DNS server and point any DNS
name on those domains to some other address, leading to the immediate
collapse of the Internet. This is in addition to the point that Cricket made
that on multi-user system, anyone with a local login would have the ability
to make changes simply by running the nsupdate command or compiling it for
themselves if you don't give users permission to the nsupdate command that
you installed. Now that you have DNS updates working based on IP address of
the sender, you should probably look at using TSIG-signed updates, which add
an encrypted signature to the update that "can't" be forged.
Steve
> So it's being refused. Ok, I need to add the IP address of the primary
> master to the allow-update section of the master zone file in
> /etc/named.conf. That works. Why doesn't it allow updates from itself by
> default?
More information about the bind-users
mailing list