Bill et al,
The Inverse Query (iquery) feature supported on some DNS servers should not
be used. A "would be" attacker can use this feature to obtain a zone
transfer. Zone transfers identify every machine registered with an
organization's DNS server and can be used by attackers to better understand
an organization's network.
Configure the DNS server to disable inverse queries and zone transfers.
RFC 1035, "Domain Names - Implementation and Specification" available from
ftp://ftp.isi.edu/in-notes/rfc1035.txt.
RFC 1035, Domain Names - Implementation and Specification,
ftp://ftp.isi.edu/in-notes/rfc1035.txt
Acme Byte & Wire LLC, Securing Your Name Server,
http://www.acmebw.com/securing/index.htm
At 05:11 PM 7/11/00 -0700, [EMAIL PROTECTED] wrote:
>If the information is available in DNS it can be easily extracted using
>reverse mapping so disabling Zone Transfers doesn't really accomplish
>anything.
>This article can give you some additional
>insight.
>http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id=32
>
>
>-- Bill Stackpole, CISSP
>
>
>
>Scott Reber <[EMAIL PROTECTED]>
>Sent by: [EMAIL PROTECTED]
>
>07/11/00 04:43 PM
>
> To: [EMAIL PROTECTED]
> cc:
> Subject: dns zone transfers
>
>I have recently been informed that a MAJOR US ISP allows zone transfers for
>zones that it hosts as secondary. Upon request to change this default for
>a particular zone this ISP said they could not.
>
>This seems to be a security risk and a disregard for the security concerns
>of their clients. Am I incorrect? How do members of this list deal with
>such an issue?
>
>_________________________________________________________________
>Scott Reber
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
