The FreeBSD Diary

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.

DNS - restricting zone transfers 31 December 1998

Need more help on this topic? Click here
This article has no comments
Show me similar articles

When you provide DNS, you are giving out a lot of information. It can give a hacker a great deal of information. Just by using a simple tool like nslookup, you can accomplish a zone transfer. To restrict your zone transfers to specified IP addresses, use the boot file directive xfrnets.

For BIND 4

The following is an extract from man named:

The ``xfrnets'' directive  (not  shown)  can  be  used  to
implement  primitive access control.  If this directive is
given, then your name server will only answer zone  trans-
fer  requests  from  hosts which are on networks listed in
your ``xfrnets'' directives.  This directive may  also  be
given as ``tcplist'' for compatibility with older, interim
servers.

Here's what I added to my /etc/named.boot file (well, I used a different IP address):

xfrnets 11.22.33.44&255.255.255.255

This states that zone transfers can be accepted from 11.22.33.44.

Points to note:

You can include more than one IP adddress per line, separated by white space.
You can have more than one xfrnets directive per file.
Don't put any white space between the IP address and the mask

For BIND8

Under BIND 8, you should use something like this:

options {
	allow-transfer {209.222.164.2;203.32.61.10;};
}

Or you can restrict certain zones to certain addresses:

zone "yourdomain.com" {
	type master;
	file "db.yourdomain";
	allow-transfer {11.22.33.44; };
}

In both cases, multiple IP addresses can be added each ending with a semi-colon (';'). An adress range can be specified using the "192.168/16" type of format. The "/16" is a netmask and would allow any zone transfers from the 192.168.0.0 network.

Need more help on this topic? Click here
This article has no comments
Show me similar articles