Jeff Lightner wrote:
Circular argument: allowing zone transfers is bad if one didn't intend to allow zone transfers.I can't quite agree with that.While public information is indeed public it is intended to be so for specific lookups not for zone transfers.
Someone external to you asking get a zone transfer may be looking for what he can exploit.
Speculative argument: someone may do something bad with information that was intentionally made public.
Maybe he can find that information anyway with enough digging but why make it easy for him?On the other hand, why make it harder for good and bad folks alike? Superfluous concealment often raises curiosity and attracts probing. (Don't even get me started on whether BIND version numbers should be suppressed/spoofed; I think you might be able to guess where I stand on that too).
Why not allow knowledgeable experts to diagnose problems with your external-facing zones, or business partners to set up "stealth slaves", if they wish, for architectural, performance and/or availability reasons, without having to reconfigure one's nameserver, and/or generate/distribute a TSIG key, every time they want to?
Consider long and deep how much configuration complexity and "churn" raises opportunities for infrastructure breakins and/or denials of service, perhaps far more than simple information disclosures ever could...
- Kevin
P.S. I've already lost this argument in our own organization, so don't even bother with the "practice what you preach" observation. I can but offer advice to others to avoid such a ridiculous state of affairs.
-----Original Message----- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy Sent: Wednesday, November 11, 2009 12:53 PM To: bind-users@lists.isc.org Subject: Re: bind configuration help Holger Honert wrote:If the infos are public, they're public, the only difference is that zone transfers are a more efficient way of fetching more than about 2 or 3 records in a single transaction, compared to querying each one individually.Security issues! Usually you only want *trusted* clients to use your server recursively.And you don't really want to allow *any* fetching your hosted zones for doing something bad, i.e. getting (unwanted!) infosover your network and infrastructure.If you want your network and infrastructure infos to be private, then put them in a private zone that can't be queried from the Internet at all.- KevinRegards Holger Jukka Pakkanen schrieb:Sorry, but could You specify more accurately what is "bad" ? This is my first bind configuration, so probably I've made some mistakes, but I'd like to do it the right way in the end.:) On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON <lca...@lncsa.com> wrote:allow-recursion { any; };badallow-transfer { any; };badIt's usually a bad idea to allow "any" to use your server recursively, or allow "any" transfer zone data. Like an "open dns-server". _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users------------------------------------------------------------------------ SIGNAL Krankenversicherung a. G., Sitz: Dortmund, HR B 2405, AG Dortmund IDUNA Vereinigte Lebensversicherung aG für Handwerk, Handel und Gewerbe, Sitz: Hamburg, HR B 2740, AG Hamburg Deutscher Ring Krankenversicherungsverein a.G., Sitz: Hamburg, HR B 4673, AG Hamburg, SIGNAL IDUNA Allgemeine Versicherung AG, Sitz: Dortmund, HR B 19108, AG Dortmund Vorstände: Reinhold Schulte (Vorsitzender), Wolfgang Fauter (stellv. Vorsitzender), Dr. Karl-Josef Bierth, Jens O. Geldmacher, Marlies Hirschberg-Tafel, Michael Johnigk, Ulrich Leitermann, Michael Petmecky, Dr. Klaus Sticker, Prof. Dr. Markus Warg Vorsitzender der Aufsichtsräte: Günter Kutz SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de 44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund 20351 Hamburg, Hausanschrift: Neue Rabenstraße 15-19, 20354 Hamburg _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-usersProud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments.---------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ----------------------------------
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
