[NBLUG/talk] BIND and zallow-transfer

Sean seanvanco at gmail.com
Wed Aug 9 09:31:06 PDT 2006


Thank you for your response. I figured that there was somthing missing
from my research, and I appreciate your telling me.

Sean

On 8/9/06, Eric Eisenhart <eric at nblug.org> wrote:
> On Wed, Aug 09, 2006 at 08:58:03AM -0700, Sean wrote:
> > The last week I have been setting up a pair of BIND DNS servers, and I
> > came accross a security question I was hoping someone here could clear
> > up.
> >
> > If allow-transfer in named.conf is set to a specific IP address, do I
> > still need to block TCP port 53 to all but my secondary that will be
> > pulling the updates? I presume that allowing only my secondary will
> > prevent other servers from getting my domain files, but I cannot find
> > that information.
>
> So, three things here:
>
> 1) You should always allow port 53 both UDP and TCP to your DNS servers.
> Transfers are not the only thing that goes over TCP.  If another server (or
> client) has a query with a result that won't fit into a UDP packet it will
> mark it as such and the client will send the same request via TCP.  Some
> clients seem to ask via TCP just for the heck of it, too.  (perhaps they're
> consolidating multiple requests into one...  perhaps the unreliability of
> UDP lost something and they fall back to TCP...)
>
> 2) DNS is publication and there's a very minimal amount of protection from
> blocking zone transfers of public information that you've put up for
> publication.  Preventing zone transfers is really just a "security through
> obscurity" measure that's unlikely to help you at all.  Securing the
> networks and/or the devices/systems is vastly more useful than trying to
> hide them in public view.
>
> 3) It's possible to simulate a zone transfer only over UDP using a technique
> called "NXT walking".  It is possible to block this, but there's other
> repurcusions and see #2: DNS is publication.
>
> All that said, the DNS servers I deal with all allow both UDP and TCP
> connections as do any firewalls between them and the intended clients, but I
> still set allow-transfer to just the other systems I expect to hold a copy
> of the zone; makes denial of service attacks very slightly harder.
>
> Summary: don't block TCP port 53 to your DNS server.
> --
> Eric Eisenhart
> NBLUG Co-Founder
> The North Bay Linux Users Group -- http://nblug.org/
> eric at nblug.org, IRC: Freiheit at fn AIM: falschfreiheit
>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>



More information about the talk mailing list