Re: debian.org DNSs allow unrestricted zone transfers
On Tue, 15 May 2007, Abel Martín wrote: > I thought zone transfers should only be possible between DNSs which > have records for the same domain, so why are debian.org DNSs (raff, Only if you have a reason to hide who is in your domain. > possibility of suffering DoS attacks (it serves 254 records). Is there > an explanation for this? Well, I am not sure about the DoS possibilities, but I take advantage of the fact that it allows zone tranfers to have a local mirror of @d.o in my bind resolver. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: debian.org DNSs allow unrestricted zone transfers
martin f krafft wrote: also sprach Giacomo A. Catenazzi <[EMAIL PROTECTED]> [2007.05.15.1646 +0200]: the theory: zone transfer of a DNS gives internal information about structure and IPs of internal machines. my theory: that information should be public, or at least if it were, the network should not be unsafer because of it. I think a simple scan could give the same information, and anyway the name of debian machines is listed also on the web. i see no attack vector. I agree with you. The "the theory" should be readed: "security book write this, but ..." Without zone transfer, you simplify the detection of net-scans, but an attacker could use a lot of machines, a lot of time (few packet per day), and eventually use automatic reponse as vector for an DoS. So I agree with you. ciao cate PS: on my machines, I see that only switch.ch try to transfer zones from my domains (I think for statistics, but nothing on the net). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: debian.org DNSs allow unrestricted zone transfers
also sprach Giacomo A. Catenazzi <[EMAIL PROTECTED]> [2007.05.15.1646 +0200]: > the theory: zone transfer of a DNS gives internal information about > structure and IPs of internal machines. my theory: that information should be public, or at least if it were, the network should not be unsafer because of it. > I think a simple scan could give the same information, and anyway > the name of debian machines is listed also on the web. i see no attack vector. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems i've not lost my mind. it's backed up on tape somewhere. signature.asc Description: Digital signature (GPG/PGP)
Re: debian.org DNSs allow unrestricted zone transfers
martin f krafft wrote: also sprach Abel Martín <[EMAIL PROTECTED]> [2007.05.15.1356 +0200]: I thought zone transfers should only be possible between DNSs which have records for the same domain, so why are debian.org DNSs (raff, rietz, klecker) allowing zone transfers? Maybe I'm paranoid, but I think there are security issues related to this, including the possibility of suffering DoS attacks (it serves 254 records). Is there an explanation for this? Where is the attack vector? I can DoS those servers in other ways too. the theory: zone transfer of a DNS gives internal information about structure and IPs of internal machines. I think a simple scan could give the same information, and anyway the name of debian machines is listed also on the web. ciao cate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: debian.org DNSs allow unrestricted zone transfers
also sprach Abel Martín <[EMAIL PROTECTED]> [2007.05.15.1356 +0200]: > I thought zone transfers should only be possible between DNSs > which have records for the same domain, so why are debian.org DNSs > (raff, rietz, klecker) allowing zone transfers? Maybe I'm > paranoid, but I think there are security issues related to this, > including the possibility of suffering DoS attacks (it serves 254 > records). Is there an explanation for this? Where is the attack vector? I can DoS those servers in other ways too. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems #include signature.asc Description: Digital signature (GPG/PGP)
debian.org DNSs allow unrestricted zone transfers
Hi, I thought zone transfers should only be possible between DNSs which have records for the same domain, so why are debian.org DNSs (raff, rietz, klecker) allowing zone transfers? Maybe I'm paranoid, but I think there are security issues related to this, including the possibility of suffering DoS attacks (it serves 254 records). Is there an explanation for this? You can check this with: dig -t axfr debian.org @raff.debian.org Regards, Abel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]