RE: blocking AXFR record query
On Wed, 28 Jan 2004, James Miller wrote: > If memory serves.. AXFR is a zone transfer... So, at your firewall, would > want to only allowing TCP queries from your backup (secondary, > trinary..etc.) dns servers (on the outside of your firewall) and limit > everyone else to UDP queries. I am no BIND expert, but please do not block TCP 53 unless you want to drop about 20% (might be another percentage at your site) of all valid lookups too! There is a long-standing myth that DNS traffic is UDP only (excepting zone transfers). THIS IS NOT TRUE. I am sorry, I can't help you with the BIND specific stuff. Grx HdV
RE: blocking AXFR record query
On Wed, 28 Jan 2004, James Miller wrote: > If memory serves.. AXFR is a zone transfer... So, at your firewall, would > want to only allowing TCP queries from your backup (secondary, > trinary..etc.) dns servers (on the outside of your firewall) and limit > everyone else to UDP queries. I am no BIND expert, but please do not block TCP 53 unless you want to drop about 20% (might be another percentage at your site) of all valid lookups too! There is a long-standing myth that DNS traffic is UDP only (excepting zone transfers). THIS IS NOT TRUE. I am sorry, I can't help you with the BIND specific stuff. Grx HdV -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: blocking AXFR record query
David Barroso wrote: * James Miller ([EMAIL PROTECTED]) wrote: If memory serves.. AXFR is a zone transfer... So, at your firewall, would want to only allowing TCP queries from your backup (secondary, trinary..etc.) dns servers (on the outside of your firewall) and limit everyone else to UDP queries. And for your bind9 config something like this: It is not a good idea to block TCP packets to your DNS server, since TCP is not only used for zone transfer, it is also used when answering a DNS query with a response that does not fit in a normal UDP datagram. In fact the limit is even much lower, namely 512 bytes (a UDP datagram has a 16-bit length field). But whether responses of your server will have to be truncated is entirely under your control and many sites don't have RRs that will cause more than a 512 byte response to be used. Cheers, Tobias
Re: blocking AXFR record query
David Barroso wrote: * James Miller ([EMAIL PROTECTED]) wrote: If memory serves.. AXFR is a zone transfer... So, at your firewall, would want to only allowing TCP queries from your backup (secondary, trinary..etc.) dns servers (on the outside of your firewall) and limit everyone else to UDP queries. And for your bind9 config something like this: It is not a good idea to block TCP packets to your DNS server, since TCP is not only used for zone transfer, it is also used when answering a DNS query with a response that does not fit in a normal UDP datagram. In fact the limit is even much lower, namely 512 bytes (a UDP datagram has a 16-bit length field). But whether responses of your server will have to be truncated is entirely under your control and many sites don't have RRs that will cause more than a 512 byte response to be used. Cheers, Tobias -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: blocking AXFR record query
* James Miller ([EMAIL PROTECTED]) wrote: > > > If memory serves.. AXFR is a zone transfer... So, at your firewall, would > want to only allowing TCP queries from your backup (secondary, > trinary..etc.) dns servers (on the outside of your firewall) and limit > everyone else to UDP queries. And for your bind9 config something like > this: It is not a good idea to block TCP packets to your DNS server, since TCP is not only used for zone transfer, it is also used when answering a DNS query with a response that does not fit in a normal UDP datagram.
RE: blocking AXFR record query
If memory serves.. AXFR is a zone transfer... So, at your firewall, would want to only allowing TCP queries from your backup (secondary, trinary..etc.) dns servers (on the outside of your firewall) and limit everyone else to UDP queries. And for your bind9 config something like this: allow-transfer { backup.dns1.host.blah; backup.dns2.host.blah; localhost; }; just my $0.02 --jimm > -Original Message- > From: LeVA [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 28, 2004 12:44 PM > To: Debian-Security > Subject: blocking AXFR record query > > > Hi! > > Anyone could tell me how could I deny the AXFR record query on my bind > server? I'm looking for some global variable, not specifiing > per-address. > > Thanks! > > Daniel > > -- > LeVA > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > >
Re: blocking AXFR record query
Quoting LeVA ([EMAIL PROTECTED]): > Anyone could tell me how could I deny the AXFR record query on my bind > server? I'm looking for some global variable, not specifiing > per-address. I think the split-DNS example at the end of section 4.3, here, will help: http://www.csd.uwo.ca/staff/magi/doc/bind9/Bv9ARM.ch04.html#AEN725 -- Cheers,"Send a policeman, and have it arrested." Rick Moen -- Otto von Bismarck, when asked what he [EMAIL PROTECTED] would do if the British Army landed.
Re: blocking AXFR record query
* James Miller ([EMAIL PROTECTED]) wrote: > > > If memory serves.. AXFR is a zone transfer... So, at your firewall, would > want to only allowing TCP queries from your backup (secondary, > trinary..etc.) dns servers (on the outside of your firewall) and limit > everyone else to UDP queries. And for your bind9 config something like > this: It is not a good idea to block TCP packets to your DNS server, since TCP is not only used for zone transfer, it is also used when answering a DNS query with a response that does not fit in a normal UDP datagram. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: blocking AXFR record query
If memory serves.. AXFR is a zone transfer... So, at your firewall, would want to only allowing TCP queries from your backup (secondary, trinary..etc.) dns servers (on the outside of your firewall) and limit everyone else to UDP queries. And for your bind9 config something like this: allow-transfer { backup.dns1.host.blah; backup.dns2.host.blah; localhost; }; just my $0.02 --jimm > -Original Message- > From: LeVA [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 28, 2004 12:44 PM > To: Debian-Security > Subject: blocking AXFR record query > > > Hi! > > Anyone could tell me how could I deny the AXFR record query on my bind > server? I'm looking for some global variable, not specifiing > per-address. > > Thanks! > > Daniel > > -- > LeVA > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: blocking AXFR record query
Quoting LeVA ([EMAIL PROTECTED]): > Anyone could tell me how could I deny the AXFR record query on my bind > server? I'm looking for some global variable, not specifiing > per-address. I think the split-DNS example at the end of section 4.3, here, will help: http://www.csd.uwo.ca/staff/magi/doc/bind9/Bv9ARM.ch04.html#AEN725 -- Cheers,"Send a policeman, and have it arrested." Rick Moen -- Otto von Bismarck, when asked what he [EMAIL PROTECTED] would do if the British Army landed. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]