Problem with named of a network error or problem with the configuration on the interconnecting peers?
Andrey G. Sergeev (AKA Andris)
andris at aernet.ru
Thu Aug 14 21:42:14 UTC 2008
Greetings Kevin,
Thu, 14 Aug 2008 16:47:02 -0400 Kevin Darcy wrote:
[...]
>> I also recommend you to restrict the AXFR queries.
>>
>>
> Why? It's public information, and as you yourself have just
> demonstrated, leaving zone transfers open is useful for
> troubleshooting.
Well, though the publicity of DNS data seems to be a good reason to
expose it, but not for everyone and in every case. I think that the DNS
administrators should decide whether to disclose the [sometimes]
sensitive zone data or not by "for whom how" basis. Let's imagine that
your zone has some RRs for the Windows PCs, DCs, print servers, lab
equipment etc. I don't consider that conscientious or evil strangers
just like me and you need to know much about this private stuff.
> Please don't fall victim to the Security paranoid tunnel vision that
> says we should restrict all information as much as possible, without
> any thought given to direct consequences and ripple effects. Take
> that kind of wrong thinking to its logical conclusion, and we
> shouldn't be using DNS at all (since names expose "too much
> information" about our conventions, our thinking patterns, our
> language, our culture, etc.).
No, I'm not a paranoid nor I support the well-known and dubious
principle "security through obscurity".
Thanks for your point of view.
P.S.
[andris at raibina ~]$ dig @ns-12.extra.daimlerchrysler.com. chrysler.com. axfr
; <<>> DiG 9.5.0-P1 <<>> @ns-12.extra.daimlerchrysler.com. chrysler.com.
axfr
; (1 server found)
;; global options: printcmd
; Transfer failed.
;)
--
Yours sincerely,
Andrey G. Sergeev (AKA Andris) http://www.andris.name/
More information about the bind-users
mailing list