"stealth master" DNS Security
Frank Pikelner
Frank.Pikelner at netcraftcommunications.com
Wed Mar 25 17:12:31 UTC 2009
You can build a tunnel between the servers using openvpn to secure
zone transfers. May also need policy based routing dependig on what
else you do. If you are doing zone transfers across a network you
control and have concerns about exposing data on it such as dns zone
transfers, you may want to start at the network.
Frank Pikelner
On 25-Mar-09, at 9:22 AM, "Ram Akuka" <ramakuka at gmail.com> wrote:
> Alan,
> Is there's any way I can encrypt the zone transfer date (without using
> any third-party encryption tool)?
>
> Thanks,
>
> --
> Ram
>
>
> 2009/3/25 Alan Clegg <Alan_Clegg at isc.org>:
>> Ram Akuka wrote:
>>> but encrypting the file system won't do the work here.
>>> i agree that storing the key and the encrypted data on the same
>>> machine is useless in security terms. that why i'm looking for a
>>> build
>>> in solution .
>>> is there's any way the slave server can save the zone in format
>>> diffent then clear text ?
>>
>> TSIG does not "encrypt" the on-the-wire AXFR/IXFR data, and all of
>> your
>> queries are being done "in the clear", so I think that you may be
>> over-engineering this part of the operation.
>>
>> You may want to worry more about securing the box so that the
>> attacker
>> can't get on in the first place.
>>
>> AlanC
>>
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list