Problem with named of a network error or problem with the configuration on the interconnecting peers?
Kevin Darcy
kcd at chrysler.com
Fri Aug 15 21:14:44 UTC 2008
Andrey G. Sergeev (AKA Andris) wrote:
> Greetings Kevin,
>
>
> Thu, 14 Aug 2008 16:47:02 -0400 Kevin Darcy wrote:
>
> [...]
>
>
>>> I also recommend you to restrict the AXFR queries.
>>>
>>>
>>>
>> Why? It's public information, and as you yourself have just
>> demonstrated, leaving zone transfers open is useful for
>> troubleshooting.
>>
>
> Well, though the publicity of DNS data seems to be a good reason to
> expose it, but not for everyone and in every case. I think that the DNS
> administrators should decide whether to disclose the [sometimes]
> sensitive zone data or not by "for whom how" basis. Let's imagine that
> your zone has some RRs for the Windows PCs, DCs, print servers, lab
> equipment etc. I don't consider that conscientious or evil strangers
> just like me and you need to know much about this private stuff.
>
So, put that stuff in a separate zone and slap an allow-query on it, if
it's so important to keep private. If it's in a generally-queryable
zone, it's findable, zone transfer is just a more convenient way of
accomplishing the same thing.
>
>> Please don't fall victim to the Security paranoid tunnel vision that
>> says we should restrict all information as much as possible, without
>> any thought given to direct consequences and ripple effects. Take
>> that kind of wrong thinking to its logical conclusion, and we
>> shouldn't be using DNS at all (since names expose "too much
>> information" about our conventions, our thinking patterns, our
>> language, our culture, etc.).
>>
>
> No, I'm not a paranoid nor I support the well-known and dubious
> principle "security through obscurity".
>
> Thanks for your point of view.
>
> P.S.
> [andris at raibina ~]$ dig @ns-12.extra.daimlerchrysler.com. chrysler.com. axfr
>
> ; <<>> DiG 9.5.0-P1 <<>> @ns-12.extra.daimlerchrysler.com. chrysler.com.
> axfr
> ; (1 server found)
> ;; global options: printcmd
> ; Transfer failed.
>
> ;)
>
Instituted over my protests (not that I'm bitter, of course). I still
have authority to selectively open it up for "technical" reasons though,
so if you need access, let me know.
- Kevin
More information about the bind-users
mailing list