Problem with named of a network error or problem with the configuration on the interconnecting peers?

Kevin Darcy kcd at chrysler.com
Fri Aug 15 21:14:44 UTC 2008 

Andrey G. Sergeev (AKA Andris) wrote:
> Greetings Kevin,
>
>
> Thu, 14 Aug 2008 16:47:02 -0400 Kevin Darcy wrote:
>
> [...]
>
>   
>>> I also recommend you to restrict the AXFR queries.
>>>
>>>   
>>>       
>> Why? It's public information, and as you yourself have just 
>> demonstrated, leaving zone transfers open is useful for
>> troubleshooting.
>>     
>
> Well, though the publicity of DNS data seems to be a good reason to 
> expose it, but not for everyone and in every case. I think that the DNS 
> administrators should decide whether to disclose the [sometimes] 
> sensitive zone data or not by "for whom how" basis. Let's imagine that 
> your zone has some RRs for the Windows PCs, DCs, print servers, lab 
> equipment etc. I don't consider that conscientious or evil strangers 
> just like me and you need to know much about this private stuff.
>   
So, put that stuff in a separate zone and slap an allow-query on it, if 
it's so important to keep private. If it's in a generally-queryable 
zone, it's findable,  zone transfer is just a more convenient way of 
accomplishing the same thing.
>   
>> Please don't fall victim to the Security paranoid tunnel vision that 
>> says we should restrict all information as much as possible, without
>> any thought given to direct consequences and ripple effects. Take
>> that kind of wrong thinking to its logical conclusion, and we
>> shouldn't be using DNS at all (since names expose "too much
>> information" about our conventions, our thinking patterns, our
>> language, our culture, etc.).
>>     
>
> No, I'm not a paranoid nor I support the well-known and dubious 
> principle "security through obscurity".
>
> Thanks for your point of view.
>
> P.S.
> [andris at raibina ~]$ dig @ns-12.extra.daimlerchrysler.com. chrysler.com. axfr
>
> ; <<>> DiG 9.5.0-P1 <<>> @ns-12.extra.daimlerchrysler.com. chrysler.com.
> axfr
> ; (1 server found)
> ;; global options:  printcmd
> ; Transfer failed.
>
> ;)
>   
Instituted over my protests (not that I'm bitter, of course). I still 
have authority to selectively open it up for "technical" reasons though, 
so if you need access, let me know.

                                                                         
                                 - Kevin

More information about the bind-users mailing list