Our ISP says they can't restrict zone transfers

Chris Buxton cbuxton at menandmice.com
Thu Apr 10 23:30:38 UTC 2008 

An AXFR is a type of zone transfer. The other type is called IXFR, or  
incremental zone transfer.

Either way, what the TW script monkey told you was completely false,  
as you were already thinking. Restricting zone transfers would not  
stop anyone from retrieving specific records from your zone - that  
statement is called "allow-query", not "allow-transfer".

It may be that the following are true, thus making it inconvenient for  
TW to restrict zone transfers:

- They are not using TSIG.
- The list of source addresses of legitimate zone transfers is not  
well known.

Or it may simply be that their DNS management tool does not expose  
this functionality.

I have heard several negative anecdotes about TW's DNS staff. Good  
luck with this.

Chris Buxton
Professional Services
Men & Mice

On Apr 10, 2008, at 4:08 PM, William Bell wrote:
> Hi,
> First, it’s been a few years since I maintained BIND servers, so  
> please
> forgive my rustiness.  :)
> I couldn’t’ find an answer to this particular question in the  
> archives, so…
> What valid reason would any ISP or DNS hosting company have for NOT
> restricting zone transfers to valid nameservers, IP’s, hosts, etc?
>
> Also, a “zone transfer” and an AXFR request are the same thing  
> aren’t they?
>
> Why I’m asking this question:
> We recently determined that our ISP/DNS host  (Time Warner Telecom)  
> allows
> zone transfers for our domains from anywhere on the internet (as far  
> as we
> can tell).  So I called and asked them to restrict zone transfers  
> for our
> domains to their own DNS servers and to our internet IP blocks.   
> Sounds like
> a simple “allow-transfer” directive in our zone file, right?  Not  
> according
> to the TW rep I spoke to.  They told me that, since they were the
> authoritative DNS servers for our domains, if they restricted zone  
> transfers
> as I requested, then no one would be able to access our DNS and thus  
> no one
> would be able to access our servers from the internet.  Okay, it’s  
> been 4 or
> 5 years since I’ve done any DNS work, but this response struck me as  
> a bit
> strange.  I began to suspect that either I was much less informed  
> about DNS
> than this Time Warner rep or vice versa.
>
> In addition, during the course of the conversation, she also stated  
> with
> conviction that zone transfers and AXFR’s were 2 different things.   
> I was so
> dumbfounded that I that I didn’t know what to say.  Again, I gave  
> her the
> benefit of the doubt; I considered that maybe I had been somehow  
> misinformed
> all these years or that the DNS paradigm had changed — after all  
> this was a
> “level 2” person in the DNS group at Time Warner — so I let it go.    
> I just
> thanked her for her time, asked her to keep the ticket open and told  
> her I
> would get back to them.
>
> I should’ve just escalated, but I started this call believing that I  
> was
> making a simple request; I wasn’t prepared for a battle.  So I quickly
> decided that my best tactic was to retreat, regroup, and attack with  
> more
> troops from a different direction.  Hence this email.  Besides, I  
> wasn’t
> sure that I wanted someone who didn’t quite grasp these concepts  
> making
> changes to our zone files.
>
> I realize that restricting zone transfers is a minor security  
> enhancement,
> but every little bit helps.  Besides, my boss told me to get it  
> done.  ;)
>
> Any advice would be greatly appreciated.
> Thanks
>
> -- 
> Regards,
> Bill
>
> "No trees were killed in the making of this e-mail... however,
> a large number of electrons were terribly inconvenienced."
>
>
>

More information about the bind-users mailing list