>Yes it is possible if you allow any host(ip address) to do zone
>transfers. Most name server daemons allow you to specify what hosts you
>want to allow to request transfers, and block all others. You can also
>block TCP port 53, and only allowing UDP port 53 with an ACL or Firewall
>ruleset. I do both.
Careful.. blocking TCP 53 might break certain Microsoft-sw DNS lookups.
Apparently, Exchange, IIS and other MS software has a tendency of using TCP
53
for their DNS queries. (Requests too large for a UDP packet)
You're also breaking the RFC (1035), which specifies that both TCP and UDP
should be left open.
Cheers,
Anders :)
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
