Dec 311998
DNS – restricting zone transfers
When you provide DNS, you are giving out a lot of information. It can give a hacker a great deal of information. Just by using a simple tool like nslookup, you can accomplish a zone transfer. To restrict your zone transfers to specified IP addresses, use the boot file directive xfrnets.For BIND 4
The following is an extract from man named:The ``xfrnets'' directive (not shown) can be used to implement primitive access control. If this directive is given, then your name server will only answer zone trans- fer requests from hosts which are on networks listed in your ``xfrnets'' directives. This directive may also be given as ``tcplist'' for compatibility with older, interim servers.
Here’s what I added to my /etc/named.boot file (well, I used a different IP address):
xfrnets 11.22.33.44&255.255.255.255
This states that zone transfers can be accepted from 11.22.33.44.
Points to note:
- You can include more than one IP adddress per line, separated by white space.
- You can have more than one xfrnets directive per file.
- Don’t put any white space between the IP address and the mask
For BIND8
Under BIND 8, you should use something like this:
options {
allow-transfer {209.222.164.2;203.32.61.10;};
}
Or you can restrict certain zones to certain addresses:
zone "yourdomain.com" {
type master;
file "db.yourdomain";
allow-transfer {11.22.33.44; };
}
In both cases, multiple IP addresses can be added each ending with a semi-colon (‘;’). An adress range can be specified using the "192.168/16" type of format. The "/16" is a netmask and would allow any zone transfers from the 192.168.0.0 network.