Solving it this way will still allow everyone within your networks to do
zone transfers, could be or could not be an issue depending how paranoid you
are, and also it will allow external users to zone transfer any zones you
put the allow-query any on.
I am not saying limiting queries like that is in anyway bad, but it won't
prevent zone transfers which is what an ls -d is.
Better to limit queries and xfers honestly.
--
-Ben Croswell
On Mon, Aug 11, 2008 at 12:00 PM, Ejaz <[EMAIL PROTECTED]> wrote:
> Thanks to all,
> it fixed now.
>
> Second option as I should not allow others to query from dns server, as of
> now I am planing to go with the below option, Just i need to make sure that
> is there any alternet way to achive the below ?? since its very painfull for
> me to add a line says "allow-query{any} in each zone file.
>
>
> 1. An acl line of "allow-query { our-nets; };" would globally allows
> queries from our designated IP's but deny queries from everyone else,
> correct?
>
> 2. "allow-query { any; };" in a zone it would allow this zone to be
> queried from anyone in the world.
>
> Many thaks in advance
>
> Regards
> Ejaz
>
>
>
>
>
>
> ----- Original Message -----
> From: "James Pratt" <[EMAIL PROTECTED]>
> To: <[email protected]>
> Cc: "Ejaz" <[EMAIL PROTECTED]>
> Sent: Monday, August 11, 2008 5:31 PM
> Subject: RE: ls -d
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of
> > jmc
> > Sent: Monday, August 11, 2008 10:16 AM
> > To: [email protected]
> > Subject: Re: ls -d
> >
> > --- Ejaz [Mon, Aug 11, 2008 at 04:43:25PM +0300]: ---
> > > Dear all,
> > > I have two dns server with same version of bind and with similar
> configuration,
> > >
> > > When ever i go with my ns2 (ns2.cyberia.net.sa) server into
> nslookup mode, any
> > can can run the command: ls -d "domain name" as an arugement and
> gettting full
> > dump information about that domain.
> > >
> > > Please can any one guide me that How do I set up my Bind to not show
> my
> > domain if someone does this(ls -d "domainname") to me.
> >
> > as far as i know, ls -d just does an AXFR, so just disable AXFRs for
> the
> > IP making the request. i could be missing something, however.
>
> Yes, you need to shut off zone transfers to unauthorized IP's and/or
> ranges, as well as disable recursion to internet clients, eg:
>
> [EMAIL PROTECTED] ~]# dig @ns2.cyberia.net.sa PHP.NET
>
> ; <<>> DiG 9.3.4-P1 <<>> @ns2.cyberia.net.sa PHP.NET
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37704
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;PHP.NET. IN A
>
> ;; ANSWER SECTION:
> PHP.NET. 86395 IN A 69.147.83.197
>
> ;; AUTHORITY SECTION:
> PHP.NET. 66384 IN NS remote1.easydns.com.
> PHP.NET. 66384 IN NS remote2.easydns.com.
> PHP.NET. 66384 IN NS ns1.easydns.com.
> PHP.NET. 66384 IN NS ns2.easydns.com.
>
> ;; Query time: 192 msec
> ;; SERVER:
> 212.119.64.3#53(212.119.64.3)<http://212.119.64.3#53%28212.119.64.3%29>
> ;; WHEN: Mon Aug 11 10:26:16 2008
> ;; MSG SIZE rcvd: 132
>
>
>
