Can/Should I allow zone transfers(?) in BIND?
Kevin Darcy
kcd at daimlerchrysler.com
Thu Jun 7 21:17:17 UTC 2001
kenny at panix.com wrote:
> I run a caching DNS on a couple of my locations, that each serve a few
> machines in each location.
>
> I have take the following BIND precautions:
>
> - I'm running BIND 8.2.4
> - I only listen for queries on my internal-net networks
> - I have my queries go out on a high, random source port, and only allow
> my firewall to pass UDP from sport 52 to that dport
> - I'm running named -g/-u as an unpriv user
>
> However, every now and then, ipchains traps lines like the following:
> (lines cut so's they aren't so long)
> --
> input DENY PROTO=6 64.14.200.154:55806 63.122.141.47:53 L=44 S=0x00 I=0 F=0x0000 T=244 (#11)
> input DENY PROTO=6 209.249.97.40:41888 63.122.141.47:53 L=44 S=0x00 I=0 F=0x0000 T=243 (#11)
> input DENY PROTO=6 216.33.35.214:45341 63.122.141.47:53 L=44 S=0x00 I=0 F=0x0000 T=246 (#11)
> input DENY PROTO=6 208.184.162.71:17836 63.122.141.47:53 L=44 S=0x00 I=0 F=0x0000 T=244 (#11)
> input DENY PROTO=6 207.55.138.206:63668 63.122.141.47:53 L=44 S=0x00 I=0 F=0x0000 T=244 (#11)
> input DENY PROTO=6 64.37.200.46:36642 63.122.141.47:53 L=44 S=0x00 I=0 F=0x0000 T=243 (#11)
> --
>
> I'm assuming these are zone xfer requests from DNS servers I've previously
> contacted while serving up DNS for my local 'net.
>
> Questions:
>
> - is this a proper assumption?
Probably not. Why would a nameserver ask you for a zone transfer just because you asked
*it* about a name? How would it even know what zone to ask for?
> - I notice SYN's not set- so does this mean I've initiated this? If so,
> why are they coming back to the default DNS port (which I don't use)?
The SYN-bit would be set regardless of who initiated the TCP connection. The absence of SYN from
the logs indicates some sort of logging quirk.
> - is my DNS trying to update other BINDs with my (totally bogus) local zone?
Doubtful. Zone transfers are initiated by slaves, pulling data from masters, not masters
reaching out to update slaves. The only other kind of "update" that would seem remotely relevant
is Dynamic Update, but named doesn't generate those.
> - should I let these in?
Not until you figure out what they are.
If it were me, I'd be doing a packet capture to determine just that.
- Kevin
More information about the bind-users
mailing list